On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

Similar documents
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Dimension-Preserving Reductions Between Lattice Problems

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Background: Lattices and the Learning-with-Errors problem

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

A Decade of Lattice Cryptography

Hardness and advantages of Module-SIS and Module-LWE

Proving Hardness of LWE

Classical hardness of Learning with Errors

Classical hardness of the Learning with Errors problem

Dwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Post-quantum key exchange for the Internet based on lattices

An Efficient Lattice-based Secret Sharing Construction

Classical hardness of Learning with Errors

CS Topics in Cryptography January 28, Lecture 5

Oded Regev Courant Institute, NYU

Weaknesses in Ring-LWE

Limits on the Hardness of Lattice Problems in l p Norms

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Augmented Learning with Errors: The Untapped Potential of the Error Term

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Lattice-based Cryptography

Limits on the Hardness of Lattice Problems in l p Norms

Density of Ideal Lattices

Public-Key Cryptographic Primitives Provably as Secure as Subset Sum

Solving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle

A Lattice-Based Threshold Ring Signature Scheme (TRSS-L)

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Lecture 6: Lattice Trapdoor Constructions

On Ideal Lattices and Learning with Errors Over Rings

Classical Hardness of Learning with Errors

Hard Instances of Lattice Problems

Practical Lattice-Based Digital Signature Schemes

Lattice Signatures Without Trapdoors

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

COS 598D - Lattices. scribe: Srdjan Krstic

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

Notes for Lecture 15

Lossy Trapdoor Functions and Their Applications

Lattice-Based Cryptography

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

Key Recovery for LWE in Polynomial Time

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Lattice Based Crypto: Answering Questions You Don't Understand

Asymptotically Efficient Lattice-Based Digital Signatures

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions

Solving the Shortest Lattice Vector Problem in Time n

Solving All Lattice Problems in Deterministic Single Exponential Time

A Framework to Select Parameters for Lattice-Based Cryptography

Post-Quantum Cryptography

New Lattice Based Cryptographic Constructions

Ring-SIS and Ideal Lattices

Weak Instances of PLWE

Algorithms for ray class groups and Hilbert class fields

Notes for Lecture 16

Lattice-Based Identification Schemes Secure Under Active Attacks

Limits on the Hardness of Lattice Problems in l p Norms

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

Short Stickelberger Class Relations and application to Ideal-SVP

Solving BDD by Enumeration: An Update

Lattice Signatures Without Trapdoors

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Open problems in lattice-based cryptography

Chosen-Ciphertext Security from Subset Sum

Sieving for Shortest Vectors in Ideal Lattices

Lattice Cryptography

Running head: IDEAL LATTICE CRYPTOGRAPHY 1. Ideal Lattice Cryptography: Escaping the Cryptopocalypse. Stephen Gillen. Georgia Institute of Technology

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Computational complexity of lattice problems and cyclic lattices

Generating Shorter Bases for Hard Random Lattices

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

A SELECTION OF RECENT LATTICE-BASED SIGNATURE AND ENCRYPTION SCHEMES

A simple lattice based PKE scheme

Improved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications

Lattice Cryptography

Post-Quantum Cryptography & Privacy. Andreas Hülsing

An intro to lattices and learning with errors

Practical Analysis of Key Recovery Attack against Search-LWE Problem

The quantum threat to cryptography

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012

FULLY HOMOMORPHIC ENCRYPTION

Proposal of a new efficient public key system for encryption and digital signatures

Post-Quantum Cryptography from Lattices

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Improving BDD cryptosystems in general lattices

Transcription:

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

Lattices Lattice: A discrete additive subgroup of R n

Lattices Basis: A set of linearly independent vectors that generate the lattice.

Lattices Basis: A set of linearly independent vectors that generate the lattice.

Why are Lattices Interesting? (In Cryptography) Ajtai ('96) showed that solving average instances of some lattice problem implies solving all instances of a lattice problem Possible to base cryptography on worst-case instances of lattice problems

SIVP [Ajt '96,...] Minicrypt primitives

Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n GapSVP

Minimum Distance Problem (GapSVP) Find the minimum distance between the vectors in the lattice

Minimum Distance Problem (GapSVP) d Find the minimum distance between the vectors in the lattice

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n GapSVP

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n GapSVP usvp Cryptosystems Ajtai-Dwork '97 Regev '03

Unique Shortest Vector Problem (usvp) Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

Unique Shortest Vector Problem (usvp) Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n GapSVP 1 [Reg '03] usvp Cryptosystems Ajtai-Dwork '97 Regev '03

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n (quantum reduction) GapSVP Cryptosystem Regev '05 1 [Reg '03] usvp Cryptosystems Ajtai-Dwork '97 Regev '03

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n (quantum reduction) GapSVP Cryptosystems Regev '05 Peikert '09 1 [Reg '03] usvp Cryptosystems Ajtai-Dwork '97 Regev '03

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n [Reg '05] n (quantum reduction) GapSVP [GG '97,Pei '09] BDD Cryptosystems Regev '05 Peikert '09 1 [Reg '03] usvp Cryptosystems Ajtai-Dwork '97 Regev '03

Bounded Distance Decoding (BDD) Given a target vector that's close to the lattice, find the nearest lattice vector

[Ban '93] SIVP [Ajt '96,...] Minicrypt primitives n [Reg '05] n (quantum reduction) GapSVP [GG '97,Pei '09] BDD Cryptosystems Regev '05 Peikert '09 1 1 2 usvp Cryptosystems Ajtai-Dwork '97 Regev '03

SIVP Minicrypt primitives (quantum reduction) GapSVP BDD usvp Cryptosystems

Cryptosystem Hardness Assumptions usvp BDD GapSVP SIVP (quantum) Ajtai-Dwork '97 O(n 2 ) O(n 2 ) O(n 2.5 ) O(n 3 ) Regev '03 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Regev '05 - - - O(n 1.5 ) Peikert '09 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Implications of our results

Lattice-Based Primitives Minicrypt One-way functions [Ajt '96] Public-Key Cryptosystems [AD '97] (usvp) Collision-resistant hash functions [Ajt '96,MR '07] Identification schemes [MV '03,Lyu '08, KTX '08] Signature schemes [LM '08, GPV '08] All Based on GapSVP and SIVP [Reg '03] (usvp) [Reg '05] (SIVP and GapSVP under quantum reductions) [Pei '09] (GapSVP) All Based on GapSVP and quantum SIVP Major Open Problem: Construct cryptosystems based on SIVP

Reductions GapSVP BDD 1 1 2 usvp

Proof Sketch (BDD < usvp)

Proof Sketch (BDD < usvp)

Proof Sketch (BDD < usvp)

Proof Sketch (BDD < usvp)

Proof Sketch (BDD < usvp)

Proof Sketch (BDD < usvp) New basis vector used exactly once in constructing the unique shortest vector

Proof Sketch (BDD < usvp) New basis vector used exactly once in constructing the unique shortest vector

Proof Sketch (BDD < usvp) New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

Open Problems Can we construct cryptosystems based on SIVP (SVP would be even better!) Can the reduction GapSVP < BDD be tightened? Can the reduction BDD < usvp be tightened?

Thanks!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback