Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
|
|
- Julie Murphy
- 5 years ago
- Views:
Transcription
1 A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt May 1 / 12
2 A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt May 1 / 12
3 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. 2 / 12
4 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] 2 / 12
5 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] Most modern schemes are based on the SIS/LWE problems [A 96,R 05] and/or their ring variants [M 02,PR 06,LM 06,LPR 10]. 2 / 12
6 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] Most modern schemes are based on the SIS/LWE problems [A 96,R 05] and/or their ring variants [M 02,PR 06,LM 06,LPR 10]. SIS/LWE aren t quite practical: Ω(n 2 ) key sizes and runtimes Ring-based primitives are! Õ(n) complexity 2 / 12
7 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. 3 / 12
8 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. 3 / 12
9 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? 3 / 12
10 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 3 / 12
11 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. 3 / 12
12 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. e + e e + e e e n e e. 3 / 12
13 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. e + e e + e e e n e e. ( Expansion factor n is worst-case, often quite loose.) 3 / 12
14 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. 4 / 12
15 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. 4 / 12
16 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] 4 / 12
17 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. 4 / 12
18 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. Examples: Φ 2 k+1(x) = 1 + X 2k, Φ 9 (X) = 1 + X 3 + X 6. 4 / 12
19 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. Examples: Φ 2 k+1(x) = 1 + X 2k, Φ 9 (X) = 1 + X 3 + X 6. Ring-LWE (appropriately defined) is hard in any cyclotomic [LPR 10]... assuming problems on ideal lattices are quantum-hard in the worst case. 4 / 12
20 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). 5 / 12
21 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. 5 / 12
22 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = / 12
23 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? 5 / 12
24 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 5 / 12
25 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients 5 / 12
26 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients Φ (X): highly irregular; large coeffs 5 / 12
27 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Yuck!!! Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients Φ (X): highly irregular; large coeffs Irregular Φ m (X) induces cumbersome, slower operations modulo Φ m (X) Large expansion factors up to super-polynomial n ω(1) [Erdős 46] Provable & concrete security also degrade with expansion factor: pay twice! 5 / 12
28 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics 6 / 12
29 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). 6 / 12
30 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. 6 / 12
31 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 6 / 12
32 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 2 In analysis, use canonical embedding to define geometry. 6 / 12
33 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 2 In analysis, use canonical embedding to define geometry. 3 Use decoding basis of dual ideal R for noise generation & decoding. Corresponds to the true definition of ring-lwe. 6 / 12
34 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). 7 / 12
35 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. 7 / 12
36 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. The Powerful Basis It s the natural Z-basis {X j 1 1 Xj 2 2 } = l {Xj l l }, 0 j l < ϕ(m l ). 7 / 12
37 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. The Powerful Basis It s the natural Z-basis {X j 1 1 Xj 2 2 } = l {Xj l l }, 0 j l < ϕ(m l ). It is not the power basis {1, X, X 2,..., X ϕ(m) 1 } of Z[X]/Φ m (X). E.g., for m = 15 it s {X j } for j {0, 3, 5, 6, 8, 9, 11, 14}. 7 / 12
38 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. 8 / 12
39 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. 8 / 12
40 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. 8 / 12
41 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. 8 / 12
42 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. 8 / 12
43 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring. 8 / 12
44 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring. E.g.: powerful basis is better-conditioned than power basis. 8 / 12
45 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. 9 / 12
46 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) 9 / 12
47 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. 9 / 12
48 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) 9 / 12
49 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. 9 / 12
50 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. 9 / 12
51 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). 9 / 12
52 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). Makes expansion very easy to analyze: e.g., a b 2 a b 2. 9 / 12
53 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). Makes expansion very easy to analyze: e.g., a b 2 a b 2. Ring-LWE is provably hard with (spherical) Gaussian noise under σ. 9 / 12
54 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. R = Z[X]/Φ 3 (X) X 1 X 0 10 / 12
55 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. Its dual R has Z-basis {d j }, given by σ(d j ), σ(x j ) = δ j,j. We call {d j } the decoding basis. (It also has a tensor form... ) R = Z[X]/Φ 3 (X) X 1 d 1 d 0 X 0 10 / 12
56 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. Its dual R has Z-basis {d j }, given by σ(d j ), σ(x j ) = δ j,j. We call {d j } the decoding basis. (It also has a tensor form... ) R is a (fractional) ideal, and pr R R, with pr R. R = Z[X]/Φ 3 (X) R R X 1 d 1 d 0 X 0 d 1 d 0 10 / 12
57 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. 11 / 12
58 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. 11 / 12
59 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. 11 / 12
60 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. 11 / 12
61 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. 11 / 12
62 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. By contrast, such optimal decoding is not possible for R/qR, because R lacks optimally short elements for its density. 11 / 12
63 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. By contrast, such optimal decoding is not possible for R/qR, because R lacks optimally short elements for its density. Bottom line: using R is actually beneficial in applications! (And advanced applications benefit even more from its algebraic properties.) 11 / 12
64 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: 12 / 12
65 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, 12 / 12
66 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, 12 / 12
67 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. 12 / 12
68 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice, / 12
69 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice,... Implementations coming soon! 12 / 12
70 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice,... Implementations coming soon! Thanks! Full version: eprint #2013/ / 12
Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationA Toolkit for Ring-LWE Cryptography
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky Chris Peikert Oded Regev May 16, 2013 Abstract Recent advances in lattice cryptography, mainly stemming from the development of ring-based primitives
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationImplementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields
Department of Mathematics and Department of Computer Science Master Thesis Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields Christoph Manuel Mayer December 16,
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky Chris Peikert Oded Regev June 25, 2013 Abstract The learning with errors (LWE) problem is to distinguish random linear equations,
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert October 9, 2013 Abstract Gentry s bootstrapping technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationNoise Distributions in Homomorphic Ring-LWE
Noise Distributions in Homomorphic Ring-LWE Sean Murphy and Rachel Player Royal Holloway, University of London, U.K. s.murphy@rhul.ac.uk Rachel.Player.2013@live.rhul.ac.uk 12 June 2017 Abstract. We develop
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationWeak Instances of PLWE
Weak Instances of PLWE Kirsten Eisenträger 1, Sean Hallgren 2, and Kristin Lauter 3 1 Department of Mathematics, The Pennsylvania State University, University Park, PA 16802, USA, and Harvard University.
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationOn the Ring-LWE and Polynomial-LWE problems
On the Ring-LWE and Polynomial-LWE problems Miruna Rosca Damien Stehlé Alexandre Wallet EUROCRYPT 2018 Miruna Rosca EUROCRYPT 2018 1 / 14 Lattices and hard problems Lattice Let b 1, b 2,..., b n R n be
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More information1 / 10. An Efficient and Parallel Gaussian Sampler for Lattices. Chris Peikert Georgia Tech
1 / 10 An Effiient and Parallel Gaussian Sampler for Latties Chris Peikert Georgia Teh CRYPTO 2010 2 / 10 Lattie-Based Crypto L R n 2 / 10 Lattie-Based Crypto L R n p 1 p 2 Lattie-Based Crypto L R n p
More informationSubring Homomorphic Encryption
Subring Homomorphic Encryption Seiko Arita Sari Handa June 7, 2017 Abstract In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationOn the Leakage Resilience of Ideal-Lattice Based Public Key Encryption
On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, and Aria Shahverdi University of Maryland, College Park, USA danadach@ece.umd.edu,
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationFunctional Lattice Cryptography
Λ λ : Functional Lattice Cryptography Eric Crockett * Chris Peikert August 17, 2016 Abstract This work describes the design, implementation, and evaluation of Λ λ, a general-purpose software framework
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationIn Praise of Twisted Canonical Embedding
In Praise of Twisted Canonical Embedding Jheyne N. Ortiz 1, Robson R. de Araujo 2, Ricardo Dahab 1, Diego F. Aranha 1, and Sueli I. R. Costa 2 1 Institute of Computing, University of Campinas, Brazil jheyne.ortiz@ic.unicamp.br
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationAn Improved RNS Variant of the BFV Homomorphic Encryption Scheme
An Improved RNS Variant of the BFV Homomorphic Encryption Scheme Shai Halevi 1, Yuriy Polyakov 2, and Victor Shoup 3 1 IBM Research 2 NJIT Cybersecurity Research Center 3 NYU Abstract. We present an optimized
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationProvably Weak Instances of Ring-LWE Revisited
Provably Weak Instances of Ring-LWE Revisited Wouter Castryck 1,2, Ilia Iliashenko 1, and Frederik Vercauteren 1 1 KU Leuven ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationLattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability
Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability Rafael del Pino, Vadim Lyubashevsky, and Gregor Seiler,3 ENS Paris IBM Research Zurich 3 ETH Zurich Abstract. We present
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationFixed-Point Arithmetic in SHE Schemes
Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016 Outline Motivation
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationCyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 6-1-2016 Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes Tamalika Mukherjee txm1809@rit.edu
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationSimple Lattice Trapdoor Sampling from a Broad Class of Distributions
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky 1 and Daniel Wichs 2 1 Inria/ENS, Paris 2 Northeastern University Abstract. At the center of many lattice-based constructions
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationA connection between number theory and linear algebra
A connection between number theory and linear algebra Mark Steinberger Contents 1. Some basics 1 2. Rational canonical form 2 3. Prime factorization in F[x] 4 4. Units and order 5 5. Finite fields 7 6.
More informationMATH 361: NUMBER THEORY TENTH LECTURE
MATH 361: NUMBER THEORY TENTH LECTURE The subject of this lecture is finite fields. 1. Root Fields Let k be any field, and let f(x) k[x] be irreducible and have positive degree. We want to construct a
More informationAn Efficient and Parallel Gaussian Sampler for Lattices
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Institute of Technology Abstract. At the heart of many recent lattice-based cryptographic schemes is a polynomial-time algorithm
More informationLecture 6: Lattice Trapdoor Constructions
Homomorphic Encryption and Lattices, Spring 0 Instructor: Shai Halevi Lecture 6: Lattice Trapdoor Constructions April 7, 0 Scribe: Nir Bitansky This lecture is based on the trapdoor constructions due to
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationPROVABLY WEAK INSTANCES OF RING-LWE
PROVABLY WEAK INSTANCES OF RING-LWE YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANGE Abstract. The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationOded Regev Courant Institute, NYU
Fast er algorithm for the Shortest Vector Problem Oded Regev Courant Institute, NYU (joint with Aggarwal, Dadush, and Stephens-Davidowitz) A lattice is a set of points Lattices L={a 1 v 1 + +a n v n a
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationSIMPLY SAFE LATTICE CRYPTOGRAPHY. A Dissertation Presented to The Academic Faculty. Eric Crockett
SIMPLY SAFE LATTICE CRYPTOGRAPHY A Dissertation Presented to The Academic Faculty By Eric Crockett In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Computer
More informationAsymptotically Efficient Lattice-Based Digital Signatures
Asymptotically Efficient Lattice-Based Digital Signatures Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 IBM Research Zurich 2 University of California, San Diego Abstract. We present a general framework
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings A L K (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme Thomas Espitau 1, Pierre-Alain Fouque 2, Alexandre
More informationFaster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationRunning head: IDEAL LATTICE CRYPTOGRAPHY 1. Ideal Lattice Cryptography: Escaping the Cryptopocalypse. Stephen Gillen. Georgia Institute of Technology
Running head: IDEAL LATTICE CRYPTOGRAPHY 1 Ideal Lattice Cryptography: Escaping the Cryptopocalypse Stephen Gillen Georgia Institute of Technology MATH 6122 Algebra II April 29, 2016 IDEAL LATTICE CRYPTOGRAPHY
More informationFinite Fields. [Parts from Chapter 16. Also applications of FTGT]
Finite Fields [Parts from Chapter 16. Also applications of FTGT] Lemma [Ch 16, 4.6] Assume F is a finite field. Then the multiplicative group F := F \ {0} is cyclic. Proof Recall from basic group theory
More informationProvably Weak Instances of Ring-LWE
Provably Weak Instances of Ring-LWE Yara Elias 1, Kristin E. Lauter 2, Ekin Ozman 3, and Katherine E. Stange 4 1 Department of Mathematics And Statistics, McGill University, Montreal, Quebec, Canada, yara.elias@mail.mcgill.ca
More information