a history of lattice based
play

A History of Lattice-Based Encryption (in order of increasing - PowerPoint PPT Presentation

Jul 24, 2023 •368 likes •849 views

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

  1. A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012

  2. Lattice-Based Encryption Schemes 1. NTRU [Hoffstein, Pipher , Silverman ‘98] 2. LWE-Based [Regev ‘05] 3. Ring-LWE Based [L, Peikert, Regev ’10] 4. “NTRU - like” with a proof of security [Stehle, Steinfeld ‘11] Lattice-Based Crypto & Applications 2 Bar-Ilan University, Israel 2012

  3. Subset Sum Problem Subset-Sum Based [L, Palacio, Segev ‘10] LWE-Based [Regev ‘05] Ring-LWE Based [L, Peikert, Regev ’10] “ NTRU- like” with a proof of security [Stehle, Steinfeld ‘11] NTRU [Hoffstein, Pipher , Silverman ‘98] Lattice-Based Crypto & Applications 3 Bar-Ilan University, Israel 2012

  4. THE SUBSET SUM PROBLEM Lattice-Based Crypto & Applications 4 Bar-Ilan University, Israel 2012

  5. Subset Sum Problem a i , T in Z M a i are chosen randomly T is a sum of a random subset of the a i a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Lattice-Based Crypto & Applications 5 Bar-Ilan University, Israel 2012

  6. Subset Sum Problem a i , T in Z 49 a i are chosen randomly T is a sum of a random subset of the a i 15 31 24 3 14 11 15 + 31 + 14 = 11 (mod 49) Lattice-Based Crypto & Applications 6 Bar-Ilan University, Israel 2012

  7. How Hard is Subset Sum? a i , T in Z M a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Hardness Depends on: • Size of n and M • Relationship between n and M Lattice-Based Crypto & Applications 7 Bar-Ilan University, Israel 2012

  8. Complexity of Solving Subset Sum M 2 log²(n) 2 n 2 n log(n) 2 n² 2 Ω(n) poly(n) poly(n) run-time “generalized birthday attacks” “lattice reduction attacks” [FlaPrz05,Lyu06,Sha08] [LagOdl85,Fri86] Lattice-Based Crypto & Applications 8 Bar-Ilan University, Israel 2012

  9. Subset Sum Crypto  Why?  simple operations  exponential hardness  very different from number theoretic assumptions  resists quantum attacks Lattice-Based Crypto & Applications 9 Bar-Ilan University, Israel 2012

  10. Subset Sum is “Pseudorandom” [Impagliazzo-Naor 1989]: For random a 1 ,...,a n in Z M and random x 1 ,...,x n in {0,1}, distinguishing the distribution (a 1 ,...,a n , a 1 x 1 +...+a n x n mod M) n+1 ) from the uniform distribution U(Z M is as hard as finding x 1 ,...,x n Lattice-Based Crypto & Applications 10 Bar-Ilan University, Israel 2012

  11. What About Public-Key Encryption?  Many early attempts  None of them had proofs of security  All seem to be broken Lattice-Based Crypto & Applications 11 Bar-Ilan University, Israel 2012

  12. Merkle-Hellman Cryptosystem a 1 ,...,a n are super-increasing (a j > a 1 +...+a j-1 ) knowing a 1 ,...,a n and a 1 x 1 +...+a n x n , we can recover all the x i Secret key: Super-increasing a 1 ,...,a n , and M > a 1 +...+a n and r such that gcd(r,M)=1 Public Key: w i =ra i mod M Encrypt(x 1 ,...,x n )=w 1 x 1 +...+w n x n =r(a 1 x 1 +...+a n x n ) Decrypt(T): Compute r -1 T mod M and recover all x i Lattice-Based Crypto & Applications 12 Bar-Ilan University, Israel 2012

  13. Merkle-Hellman Cryptosystem a 1 ,...,a n are super-increasing (a j > a 1 +...+a j-1 ) knowing a 1 ,...,a n and a 1 x 1 +...+a n x n , we can recover all the x i Secret key: Super-increasing a 1 ,...,a n , and M > a 1 +...+a n and r such that gcd(r,M)=1 Public Key: w i =ra i mod M Encrypt(x 1 ,...,x n )=w 1 x 1 +...+w n x n =r(a 1 x 1 +...+a n x n ) Decrypt(T): Compute r -1 T mod M Not Random!! (was exploited in attacks) and recover all x i Lattice-Based Crypto & Applications 13 Bar-Ilan University, Israel 2012

  14. CRYPTOSYSTEM BASED ON SUBSET SUM [L, PALACIO, SEGEV 2010] Lattice-Based Crypto & Applications 14 Bar-Ilan University, Israel 2012

  15. Subset Sum Cryptosystem  Semantically secure based on Subset Sum for M ≈ n n  Main tools Subset sum is pseudo-random Addition in (Z q ) n is “kind of like” addition in Z M where M=q n  The proof is very simple Lattice-Based Crypto & Applications 15 Bar-Ilan University, Israel 2012

  16. Facts About Addition Want to add 4679 + 3907 + 8465 + 1343 mod 10 4 2 1 2 4 6 7 9 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 3 4 3 1 3 4 3 6 2 7 4 8 3 9 4 Adding n numbers (written in base q) modulo q m → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i.e. in Z M ) (i.e. in (Z q ) n ) Lattice-Based Crypto & Applications 16 Bar-Ilan University, Israel 2012

  17. So... 1 1 0 1 4 6 7 9 1 1 0 1 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 6 4 3 1 6 4 3 + 2 1 1 0 8 1 1 9 = 0 2 2 9 = NOT Pseudorandom! Pseudorandom based on Subset Sum! Lattice-Based Crypto & Applications 17 Bar-Ilan University, Israel 2012

  18. Column Subset Sum Addition Is Also Pseudorandom 4 6 7 9 1 1 0 3 9 0 7 1 1 9 + = 8 4 6 5 0 1 8 1 6 4 3 1 0 0 Lattice-Based Crypto & Applications 18 Bar-Ilan University, Israel 2012

  19. “Hybrid” Subset Sum Addition Is Also Pseudorandom 1 0 0 1 4 6 7 9 0 3 9 0 7 9 8 4 6 5 8 pseudorandom 1 6 4 3 0 1 1 1 0 0 + 6 3 2 2 0 = Lattice-Based Crypto & Applications 19 Bar-Ilan University, Israel 2012

  20. Encryption Scheme r A A s t t + = {0,1} n + {0,1} n n x n Z q = u v Public Key Lattice-Based Crypto & Applications 20 Bar-Ilan University, Israel 2012

  21. Encryption Scheme r A A s t t + = + = u v Is pseudo-random based on the hardness of the subset sum problem Lattice-Based Crypto & Applications 21 Bar-Ilan University, Israel 2012

  22. Encryption Scheme r A A s t t + = + = u v v r r = + A A s s + r + = A A s s Lattice-Based Crypto & Applications 22 Bar-Ilan University, Israel 2012

  23. Encryption Scheme r A A s t t + = + = u v r u + = A s s r ≈ v + = s A Lattice-Based Crypto & Applications 23 Bar-Ilan University, Israel 2012

  24. Encryption Scheme r A A s t t + = + = u v Encryption of 0 v - u = s Lattice-Based Crypto & Applications 24 Bar-Ilan University, Israel 2012

  25. Encryption Scheme r A A s t t + = + = u v + 0 q/2 = Encryption of 1 u v’ u v’ - + q/2 = s Lattice-Based Crypto & Applications 25 Bar-Ilan University, Israel 2012

  26. CRYPTOSYSTEM BASED ON LWE [REGEV 2005] Lattice-Based Crypto & Applications 26 Bar-Ilan University, Israel 2012

  27. Encryption Scheme (what we needed) r A A s t t + = + = u v “small” Pseudorandom Lattice-Based Crypto & Applications 27 Bar-Ilan University, Israel 2012

  28. Picking the “Carries” • In Subset Sum: carries were deterministic • What if … we pick the “carries” at random from some distribution? Lattice-Based Crypto & Applications 28 Bar-Ilan University, Israel 2012

  29. So... 1 1 0 1 4 6 7 9 2 3 0 1 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 6 4 3 1 6 4 3 + 2 1 1 0 + 1 3 2 1 0 2 2 9 7 2 0 3 = = Pseudorandom Pseudorandom based on based on LWE [Reg ‘ 05] Subset Sum Lattice-Based Crypto & Applications 29 Bar-Ilan University, Israel 2012

  30. LWE vs. Subset Sum • The Subset Sum assumption has “deterministic noise ” • The LWE assumption is more “versatile” LWE Problem a 1 a 2 s + e = b . . . n 2 a m Lattice-Based Crypto & Applications n 30 Bar-Ilan University, Israel 2012

  31. LWE vs. Subset Sum • The Subset Sum assumption has “deterministic noise ” • The LWE assumption is more “versatile” Subset Sum Problem s a 1 a 2 … a n = b n 2 + Lattice-Based Crypto & Applications 31 n Bar-Ilan University, Israel 2012

  32. LWE / Subset Sum Encryption r A A s t t + = + = u v n-bit Encryption Have Want Õ(n) / Õ(n 2 ) Public Key Size O(n) Secret Key Size Õ(n) / Õ (n 2 ) O(n) Ciphertext Expansion Õ(n) / Õ (1) O(1) Encryption Time Õ(n 3 ) / Õ (n 2 ) O(n) Õ(n 2 ) Decryption Time O(n) Lattice-Based Crypto & Applications 32 Bar-Ilan University, Israel 2012

  33. CRYPTOSYSTEM BASED ON RING-LWE [L, PEIKERT, REGEV 2010] Lattice-Based Crypto & Applications 33 Bar-Ilan University, Israel 2012

  34. Source of Inefficiency of LWE Getting just one extra random-looking 2 8 7 3 1 2 1 + = * number requires n random numbers 0 and a small error element. 2 1 Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 1 8 0 + = * 7 2 3 1 Lattice-Based Crypto & Applications 34 Bar-Ilan University, Israel 2012

  35. Use Polynomials f(x) is a polynomial x n + a n-1 x n-1 + … + a 1 x + a 0 R = Z p [x]/(f(x)) is a polynomial ring with • Addition mod p • Polynomial multiplication mod p and f(x) Each element of R consists of n elements in Z p In R: • small+small = small • small*small = small (depending on f(x) ) Lattice-Based Crypto & Applications 35 Bar-Ilan University, Israel 2012

Recommend

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016

Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016

Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016 Southampton, UK Pauli 1930 History Chadwick 1932 Racah Majorana 1937 1937 Fermi 1934 Goppert-Mayer 1935 Lepton Number Neutrinos have no known

721 views • 59 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat). Yoichi IKEDA (RCNP , Osaka Univ.) HAL QCD (Hadrons to Atomic nuclei from Lattice QCD) S. Aoki, D. Kawai, T. Miyamoto, K. Sasaki (YITP , Kyoto Univ.)

772 views • 42 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Lattice Coding &amp; Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore (Huawei Technologies France) Discrete Gaussian Measures f : R n R + D : [0 , 1] is a

917 views • 33 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar

Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar

Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar (February 11th, 2019) Lattices What is a lattice? O Lattices What is a lattice? b 2 b 1 O Lattices What is a lattice? b 2 b 1 O Lattices

1.59k views • 120 slides
Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp;

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp;

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Outline LLL sketch Application to Subset Sum Application to SIS Application to LWE Lattice

716 views • 49 slides
Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based

Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based

Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based on Flavor Structure of the Nucleon Sea from Lattice QCD, PRD 91, 054510 [arXiv:1402.1462] Nucleon Helicity and T ransversity Parton

786 views • 37 slides
Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST)

Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST)

Lattice and Hypergraph MERT Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST) 12/20/2012 1 Lattice and Hypergraph MERT Papers Introduced: Lattice-based Minimum Error Rate Training for

691 views • 39 slides
A lattice study of N =2 Landau-Ginzburg model using a Nicolai map based on arXiv:1005.4671 Hiroki

A lattice study of N =2 Landau-Ginzburg model using a Nicolai map based on arXiv:1005.4671 Hiroki

a A lattice study of N =2 Landau-Ginzburg model using a Nicolai map based on arXiv:1005.4671 Hiroki Kawai (in collaboration with Y.Kikukawa) Institute of Physics, The University of Tokyo Outline 1.Purpose of this study 2.Lattice formulation of

415 views • 18 slides
Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas; ntroducing the lattice gas; 2) Analytic description of the lattice gas; 3) Program objectives; 4) How to implement it (efficiently); 5)

321 views • 28 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
On the covering radius of lattice polytopes and its relation to view-obstructions and densities

On the covering radius of lattice polytopes and its relation to view-obstructions and densities

On the covering radius of lattice polytopes and its relation to view-obstructions and densities of lattice arrangements Matthias Schymura (n e Henze) Freie Universit at Berlin based on joint work with Bernardo Gonz alez Merino

1.5k views • 87 slides
Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice simulations A. Yu. Kotov (based on the PhD thesis) JINR 20 April 2016 Motivation Temperature Baryonic density Chiral density Magnetic field Lattice

622 views • 49 slides
Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Birmingham High Energy Physics Group - Particle Physics Seminar, University of Birmingham, 08.06.2016 Andreas Jttner Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on the lattice 4. Pushing

713 views • 52 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides

More recommend