Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Transcription

1 Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April / 16

2 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b ) N = p q = (Images courtesy xkcd.org) 2 / 16

3 Lattice-Based Cryptography = (Images courtesy xkcd.org) 2 / 16

4 Lattice-Based Cryptography = Why? Simple & efficient: linear, highly parallel operations Resist quantum attacks (so far) Secure under worst-case hardness assumptions [Ajtai 96,... ] Solve holy grail problems like FHE [Gentry 09,... ] (Images courtesy xkcd.org) 2 / 16

5 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z i=1 b 1 b 2 3 / 16

6 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 b 1 b 2 3 / 16

7 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 c 2 b 1 b 2 c 1 The same lattice has many bases Λ = {Cx: x Z n } 3 / 16

8 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 The same lattice has many bases Λ = {Cx: x Z n } Definition (Lattice) Discrete additive subgroup of R d E.g. Λ = {x Z d : Ax = 0} 3 / 16

9 Point Lattices: Examples e 1 e 2 The simplest lattice in n-dimensional space is the integer lattice Λ = Z n 4 / 16

10 Point Lattices: Examples e 1 e 2 b 1 b 2 The simplest lattice in n-dimensional space is the integer lattice Λ = Z n Other lattices are obtained by applying a linear transformation Λ = BZ n (B R d n ) 4 / 16

11 Point Lattices: Examples e 1 e 2 b 1 b 2 The simplest lattice in n-dimensional space is the integer lattice Other lattices are obtained by applying a linear transformation Λ = Z n Λ = BZ n (B R d n ) Remark All lattices have the same group structure, but different geometry 4 / 16

12 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). 5 / 16

13 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] 5 / 16

14 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] 5 / 16

15 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) O (q, 0) 5 / 16

16 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) O x (q, 0) 5 / 16

17 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) (0, q) a 2 a 1 x O (q, 0) O (q, 0) 5 / 16

18 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) (0, q) A t s e a 2 a 1 x O (q, 0) O (q, 0) 5 / 16

19 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Remark: fa and g A are essentially equivalent functions See e.g. Duality in lattice cryptography [M 10] Main difference: e is even shorter than x Notational convention: Function x/e Injective Surjective f A short g A very short 5 / 16

20 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Remark: fa and g A are essentially equivalent functions See e.g. Duality in lattice cryptography [M 10] Main difference: e is even shorter than x Notational convention: Function x/e Injective Surjective f A short g A very short f A, g A in forward direction yield CRHFs, CPA-secure encryption... and not much else. 5 / 16

21 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. 6 / 16

22 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) 6 / 16

23 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert u = f A (x ) = Ax mod q: sample random x f 1 A (u) with prob exp( x 2 /σ 2 ). Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) 6 / 16

24 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert u = f A (x ) = Ax mod q: sample random x f 1 A (u) with prob exp( x 2 /σ 2 ). Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) How? Use a strong trapdoor for A: a short basis of Λ (A) [Babai 86,GGH 97,Klein 01,GPV 08,P 10] O 6 / 16

25 Applications of Strong Trapdoors Applications of f 1, g 1 Hash and Sign signatures in Random oracle (RO) model [GPV 08] Standard model (no RO) signatures [CHKP 10,R 10,B 10] SM CCA-secure encryption [PW 08,P 09] SM (Hierarchical) IBE [GPV 08,CHKP 10,ABB 10a,ABB 10b] Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc,... [PVW 08,PV 08,GHV 10,GKV 10,BF 10a,BF 10b,OPW 11,AFV 11,ABVVW 11,... ] 7 / 16

26 Applications of Strong Trapdoors Applications of f 1, g 1 Hash and Sign signatures in Random oracle (RO) model [GPV 08] Standard model (no RO) signatures [CHKP 10,R 10,B 10] SM CCA-secure encryption [PW 08,P 09] SM (Hierarchical) IBE [GPV 08,CHKP 10,ABB 10a,ABB 10b] Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc,... [PVW 08,PV 08,GHV 10,GKV 10,BF 10a,BF 10b,OPW 11,AFV 11,ABVVW 11,... ] Some Drawbacks... Generating A w/ short basis is complicated and slow [Ajtai 99,AP 09] Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g 1 A [Babai 86] [Babai 86] f 1 A [Klein 01,GPV 08] [P 10] 7 / 16

27 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 8 / 16

28 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 8 / 16

29 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 8 / 16

30 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 8 / 16

31 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 4 Choose n, q so that finding β-bounded preimages is hard. 8 / 16

32 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 4 Choose n, q so that finding β-bounded preimages is hard. Better dimension m & quality σ = win-win-win in security-keysize-runtime 8 / 16

33 Our Contributions New strong trapdoor generation and inversion algorithms: 9 / 16

34 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff 9 / 16

35 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize 9 / 16

36 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize New kind of trapdoor not a basis! (But just as powerful.) Half the dimension of a basis 4x size improvement Delegation: size grows as O(dim), versus O(dim 2 ) [CHKP 10] 9 / 16

37 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize New kind of trapdoor not a basis! (But just as powerful.) Half the dimension of a basis 4x size improvement Delegation: size grows as O(dim), versus O(dim 2 ) [CHKP 10] More efficient applications (beyond black-box improvements) 9 / 16

38 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q 10 / 16

39 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q Quality σ slow f 1 : 20 n log q fast f 1 : 16 n log 2 q 1.6 n log q log q 10 / 16

40 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q Quality σ slow f 1 : 20 n log q fast f 1 : 16 n log 2 q 1.6 n log q log q Example parameters for (ring-based) GPV signatures: n q δ to break pk size (bits) Before (fast f 1 ) Now Bottom line: 45-fold improvement in key size. 10 / 16

41 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. G 11 / 16

42 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) G A 11 / 16

43 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16

44 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16

45 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16

46 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16

47 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 1 A to fg, g 1 G plus pre-/post-processing. 4 Problem: Transformation distorts noise. G A 11 / 16

48 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. 4 Problem: Transformation distorts noise. Solution: add perturbation during pre-/post-processing [P 10] G A 11 / 16

49 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k q. 12 / 16

50 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k / 16

51 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1 almost orthogonal ( S = 2 I k ),... q. Zk k / 16

52 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), 12 / 16

53 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) 12 / 16

54 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. 12 / 16

55 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. Inverting f on very small inputs Find x {0, 1} k such that f g (x) = g x = y mod q. 12 / 16

56 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. Inverting f on very small inputs Find x {0, 1} k such that f g (x) = g x = y mod q. Solution: set x to the binary representation of y 12 / 16

57 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. 13 / 16

58 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1, g 1 g g. 13 / 16

59 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. 13 / 16

60 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. The lattice Λ (G) has short basis S S n S = I n S =... Zn nk q S 13 / 16

61 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. The lattice Λ (G) has short basis S S n S = I n S =... Zn nk q S almost orthogonal ( S n = 2 I kn ), and sparse (< 2kn nonzero entries). 13 / 16

62 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 14 / 16

63 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular 14 / 16

64 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. 14 / 16

65 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. With G = 0, we get Ajtai s original method for constructing A with a weak trapdoor of 1 short vector (but not a full basis). 14 / 16

66 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. With G = 0, we get Ajtai s original method for constructing A with a weak trapdoor of 1 short vector (but not a full basis). [I Ā (ĀR 1 + R 2 )] is pseudorandom (under LWE) for m = n. 14 / 16

67 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 15 / 16

68 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 15 / 16

69 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 15 / 16

70 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 4 Both T and T 1 introduce relatively low (in fact, optimal) distorsion because R has small (Gaussian) entries. 15 / 16

71 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 4 Both T and T 1 introduce relatively low (in fact, optimal) distorsion because R has small (Gaussian) entries. 5 A basis for Λ (A) is easily computed using T, but never needed: R serves as a new trapdoor 15 / 16

72 Conclusions A new, simpler, more efficient trapdoor notion and construction 16 / 16

73 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements 16 / 16

74 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements Key sizes and algorithms for strong trapdoors are now practical 16 / 16

75 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements Key sizes and algorithms for strong trapdoors are now practical Questions? 16 / 16