Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller
|
|
- Suzanna Ami Weaver
- 5 years ago
- Views:
Transcription
1 Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April / 16
2 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b ) N = p q = (Images courtesy xkcd.org) 2 / 16
3 Lattice-Based Cryptography = (Images courtesy xkcd.org) 2 / 16
4 Lattice-Based Cryptography = Why? Simple & efficient: linear, highly parallel operations Resist quantum attacks (so far) Secure under worst-case hardness assumptions [Ajtai 96,... ] Solve holy grail problems like FHE [Gentry 09,... ] (Images courtesy xkcd.org) 2 / 16
5 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z i=1 b 1 b 2 3 / 16
6 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 b 1 b 2 3 / 16
7 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 c 2 b 1 b 2 c 1 The same lattice has many bases Λ = {Cx: x Z n } 3 / 16
8 Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R d : Λ = n b i Z = {Bx: x Z n } i=1 The same lattice has many bases Λ = {Cx: x Z n } Definition (Lattice) Discrete additive subgroup of R d E.g. Λ = {x Z d : Ax = 0} 3 / 16
9 Point Lattices: Examples e 1 e 2 The simplest lattice in n-dimensional space is the integer lattice Λ = Z n 4 / 16
10 Point Lattices: Examples e 1 e 2 b 1 b 2 The simplest lattice in n-dimensional space is the integer lattice Λ = Z n Other lattices are obtained by applying a linear transformation Λ = BZ n (B R d n ) 4 / 16
11 Point Lattices: Examples e 1 e 2 b 1 b 2 The simplest lattice in n-dimensional space is the integer lattice Other lattices are obtained by applying a linear transformation Λ = Z n Λ = BZ n (B R d n ) Remark All lattices have the same group structure, but different geometry 4 / 16
12 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). 5 / 16
13 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] 5 / 16
14 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] 5 / 16
15 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) O (q, 0) 5 / 16
16 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) O x (q, 0) 5 / 16
17 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) (0, q) a 2 a 1 x O (q, 0) O (q, 0) 5 / 16
18 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Lattice interpretation: Λ (A) = {x Z m : f A (x) = Ax = 0 mod q} (0, q) (0, q) A t s e a 2 a 1 x O (q, 0) O (q, 0) 5 / 16
19 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Remark: fa and g A are essentially equivalent functions See e.g. Duality in lattice cryptography [M 10] Main difference: e is even shorter than x Notational convention: Function x/e Injective Surjective f A short g A very short 5 / 16
20 Lattice-Based One-Way Functions Public key [ ] A Z n m q for q = poly(n), m = Ω(n log q). f A (x) = Ax mod q Z n q ( short x, surjective) CRHF if SIS hard [Ajtai 96,... ] g A (s, e) = s t A + e t mod q Z m q ( very short e, injective) OWF if LWE hard [Regev 05,P 09] Remark: fa and g A are essentially equivalent functions See e.g. Duality in lattice cryptography [M 10] Main difference: e is even shorter than x Notational convention: Function x/e Injective Surjective f A short g A very short f A, g A in forward direction yield CRHFs, CPA-secure encryption... and not much else. 5 / 16
21 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. 6 / 16
22 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) 6 / 16
23 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert u = f A (x ) = Ax mod q: sample random x f 1 A (u) with prob exp( x 2 /σ 2 ). Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) 6 / 16
24 Trapdoor Inversion Many cryptographic applications need to invert f A and/or g A. Invert u = f A (x ) = Ax mod q: sample random x f 1 A (u) with prob exp( x 2 /σ 2 ). Invert g A (s, e) = s t A + e t mod q: find the unique preimage s (equivalently, e) How? Use a strong trapdoor for A: a short basis of Λ (A) [Babai 86,GGH 97,Klein 01,GPV 08,P 10] O 6 / 16
25 Applications of Strong Trapdoors Applications of f 1, g 1 Hash and Sign signatures in Random oracle (RO) model [GPV 08] Standard model (no RO) signatures [CHKP 10,R 10,B 10] SM CCA-secure encryption [PW 08,P 09] SM (Hierarchical) IBE [GPV 08,CHKP 10,ABB 10a,ABB 10b] Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc,... [PVW 08,PV 08,GHV 10,GKV 10,BF 10a,BF 10b,OPW 11,AFV 11,ABVVW 11,... ] 7 / 16
26 Applications of Strong Trapdoors Applications of f 1, g 1 Hash and Sign signatures in Random oracle (RO) model [GPV 08] Standard model (no RO) signatures [CHKP 10,R 10,B 10] SM CCA-secure encryption [PW 08,P 09] SM (Hierarchical) IBE [GPV 08,CHKP 10,ABB 10a,ABB 10b] Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc,... [PVW 08,PV 08,GHV 10,GKV 10,BF 10a,BF 10b,OPW 11,AFV 11,ABVVW 11,... ] Some Drawbacks... Generating A w/ short basis is complicated and slow [Ajtai 99,AP 09] Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g 1 A [Babai 86] [Babai 86] f 1 A [Klein 01,GPV 08] [P 10] 7 / 16
27 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 8 / 16
28 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 8 / 16
29 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 8 / 16
30 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 8 / 16
31 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 4 Choose n, q so that finding β-bounded preimages is hard. 8 / 16
32 Taming the Parameters {[ ] n A }{{} m f A (x) = Ax O 1 Trapdoor construction yields some lattice dim m = Ω(n log q). 2 Basis quality lengths of basis vectors Gaussian std dev σ. 3 Dimension m, std dev σ = preimage length β = x σ m. 4 Choose n, q so that finding β-bounded preimages is hard. Better dimension m & quality σ = win-win-win in security-keysize-runtime 8 / 16
33 Our Contributions New strong trapdoor generation and inversion algorithms: 9 / 16
34 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff 9 / 16
35 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize 9 / 16
36 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize New kind of trapdoor not a basis! (But just as powerful.) Half the dimension of a basis 4x size improvement Delegation: size grows as O(dim), versus O(dim 2 ) [CHKP 10] 9 / 16
37 Our Contributions New strong trapdoor generation and inversion algorithms: Very simple & fast Generation: one matrix mult. No HNF or inverses (cf. [A 99,AP 09]) Inversion: practical, parallel, & mostly offline No more efficiency-vs-quality tradeoff Tighter parameters m and σ Asymptotically optimal with small constant factors Ex improvement: 32x in dim m, 25x in quality σ 67x in keysize New kind of trapdoor not a basis! (But just as powerful.) Half the dimension of a basis 4x size improvement Delegation: size grows as O(dim), versus O(dim 2 ) [CHKP 10] More efficient applications (beyond black-box improvements) 9 / 16
38 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q 10 / 16
39 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q Quality σ slow f 1 : 20 n log q fast f 1 : 16 n log 2 q 1.6 n log q log q 10 / 16
40 Concrete Parameter Improvements Before [AP 09] Now (fast f 1 ) Improvement Dim m slow f 1 : > 5n log q 2n log q ( s ) fast f 1 : > n log 2 q n(1 + log q) ( c ) 2.5 log q Quality σ slow f 1 : 20 n log q fast f 1 : 16 n log 2 q 1.6 n log q log q Example parameters for (ring-based) GPV signatures: n q δ to break pk size (bits) Before (fast f 1 ) Now Bottom line: 45-fold improvement in key size. 10 / 16
41 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. G 11 / 16
42 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) G A 11 / 16
43 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16
44 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16
45 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16
46 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. G A 11 / 16
47 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 1 A to fg, g 1 G plus pre-/post-processing. 4 Problem: Transformation distorts noise. G A 11 / 16
48 Overview of Methods 1 Design a fixed, public lattice defined by gadget G. Give fast, parallel, offline algorithms for f 1 G, g 1 G. 2 Randomize G A via a nice unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f 1 A, g 1 A to f 1 G, g 1 G plus pre-/post-processing. 4 Problem: Transformation distorts noise. Solution: add perturbation during pre-/post-processing [P 10] G A 11 / 16
49 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k q. 12 / 16
50 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k / 16
51 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1 almost orthogonal ( S = 2 I k ),... q. Zk k / 16
52 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), 12 / 16
53 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) 12 / 16
54 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. 12 / 16
55 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. Inverting f on very small inputs Find x {0, 1} k such that f g (x) = g x = y mod q. 12 / 16
56 Gadget G construction: the primitive vector g Let q = 2 k. Define lattice Λ (g) by 1 k parity check vector g := [ k 1] Z 1 k Λ (g) has a short basis S = 1... q. Zk k almost orthogonal ( S = 2 I k ), sparse (2k 1 nonzero entries), and low dimensional (k = log q = O(log n)) f g, g g are efficiently invertible, either by optimized versions of [Babai 86,Klein 01,GPV 08], or other specialized algorithms. Inverting f on very small inputs Find x {0, 1} k such that f g (x) = g x = y mod q. Solution: set x to the binary representation of y 12 / 16
57 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. 13 / 16
58 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1, g 1 g g. 13 / 16
59 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. 13 / 16
60 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. The lattice Λ (G) has short basis S S n S = I n S =... Zn nk q S 13 / 16
61 Gadget G construction: from g to G g g Define G = I n g =... Zn nk g q. Now f 1 G, g 1 G reduce to n parallel calls to f 1 g, gg 1. Running time: almost linear in n, and trivially parallelizable up to n processors. The lattice Λ (G) has short basis S S n S = I n S =... Zn nk q S almost orthogonal ( S n = 2 I kn ), and sparse (< 2kn nonzero entries). 13 / 16
62 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 14 / 16
63 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular 14 / 16
64 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. 14 / 16
65 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. With G = 0, we get Ajtai s original method for constructing A with a weak trapdoor of 1 short vector (but not a full basis). 14 / 16
66 Randomized Trasformation G A 1 Define semi-random [Ā G] for uniform (universal) Ā Zn m q. (Computing f 1, g 1 easily reduce to f 1 G, g 1 G.) 2 Choose short (Gaussian) R Z m n log q and let [ ] I R A := [Ā G] = [Ā I G ĀR]. }{{} unimodular A is uniform if [Ā ĀR] is: leftover hash lemma for m n log q. With G = 0, we get Ajtai s original method for constructing A with a weak trapdoor of 1 short vector (but not a full basis). [I Ā (ĀR 1 + R 2 )] is pseudorandom (under LWE) for m = n. 14 / 16
67 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 15 / 16
68 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 15 / 16
69 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 15 / 16
70 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 4 Both T and T 1 introduce relatively low (in fact, optimal) distorsion because R has small (Gaussian) entries. 15 / 16
71 Randomized Trasformation G A: Efficiency 1 Linear transformation is easily computable ( m n log q) T = [ ] I R I ( m+n log q) ( m+n log q) Z q 2 Inverse transformation is just as simple [ ] T 1 I +R = I 3 Batch application of T (or T 1 ) to several inputs can be computed asymptotically faster using fast matrix multiplication algorithms. 4 Both T and T 1 introduce relatively low (in fact, optimal) distorsion because R has small (Gaussian) entries. 5 A basis for Λ (A) is easily computed using T, but never needed: R serves as a new trapdoor 15 / 16
72 Conclusions A new, simpler, more efficient trapdoor notion and construction 16 / 16
73 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements 16 / 16
74 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements Key sizes and algorithms for strong trapdoors are now practical 16 / 16
75 Conclusions A new, simpler, more efficient trapdoor notion and construction Exposing structure of trapdoor to applications yields further efficiency improvements Key sizes and algorithms for strong trapdoors are now practical Questions? 16 / 16
Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationLecture 6: Lattice Trapdoor Constructions
Homomorphic Encryption and Lattices, Spring 0 Instructor: Shai Halevi Lecture 6: Lattice Trapdoor Constructions April 7, 0 Scribe: Nir Bitansky This lecture is based on the trapdoor constructions due to
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 and Chris Peikert 2 1 University of California, San Diego 2 Georgia nstitute of Technology Abstract. We give new methods for
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More information1 / 10. An Efficient and Parallel Gaussian Sampler for Lattices. Chris Peikert Georgia Tech
1 / 10 An Effiient and Parallel Gaussian Sampler for Latties Chris Peikert Georgia Teh CRYPTO 2010 2 / 10 Lattie-Based Crypto L R n 2 / 10 Lattie-Based Crypto L R n p 1 p 2 Lattie-Based Crypto L R n p
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationGenerating Shorter Bases for Hard Random Lattices
Generating Shorter Bases for Hard Random Lattices Joël Alwen New York University Chris Peikert Georgia Institute of Technology July 10, 2010 Abstract We revisit the problem of generating a hard random
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz Chris Peikert March 19, 2010 Abstract We introduce a new lattice-based cryptographic structure called a bonsai tree,
More informationAn Efficient and Parallel Gaussian Sampler for Lattices
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Institute of Technology Abstract. At the heart of many recent lattice-based cryptographic schemes is a polynomial-time algorithm
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationBonsai Trees (or, Arboriculture in Lattice-Based Cryptography)
Bonsai Trees (or, Arboriculture in Lattice-Based Cryptography) Chris Peikert Georgia Institute of Technology July 20, 2009 Abstract We introduce bonsai trees, a lattice-based cryptographic primitive that
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert Abstract. We introduce a new lattice-based cryptographic structure called a bonsai tree, and
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationA Decade of Lattice Cryptography
A Decade of Lattice Cryptography Chris Peikert 1 September 26, 2015 1 Department of Computer Science and Engineering, University of Michigan. Much of this work was done while at the School of Computer
More informationProxy Re-encryption from Lattices
Proxy Re-encryption from Lattices Elena Kirshanova Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de Abstract. We propose a new unidirectional
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationMitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationOn Approximating the Covering Radius and Finding Dense Lattice Subspaces
On Approximating the Covering Radius and Finding Dense Lattice Subspaces Daniel Dadush Centrum Wiskunde & Informatica (CWI) ICERM April 2018 Outline 1. Integer Programming and the Kannan-Lovász (KL) Conjecture.
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationProxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationSecure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University
Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk Classical CMA
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationSAMPLING FROM DISCRETE GAUSSIANS FOR LATTICE-BASED CRYPTOGRAPHY ON A CONSTRAINED DEVICE
SAMPLING FROM DISCRETE GAUSSIANS FOR LATTICE-BASED CRYPTOGRAPHY ON A CONSTRAINED DEVICE NAGARJUN C. DWARAKANATH AND STEVEN D. GALBRAITH ABSTRACT. Modern lattice-based public-key cryptosystems require sampling
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationLattice Signatures Without Trapdoors
Lattice Signatures Without Trapdoors Vadim Lyubashevsky INRIA / École Normale Supérieure Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationA Toolkit for Ring-LWE Cryptography
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky Chris Peikert Oded Regev May 16, 2013 Abstract Recent advances in lattice cryptography, mainly stemming from the development of ring-based primitives
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More information