a new algorithm for the variants of acd problem
play

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, - PowerPoint PPT Presentation

Nov 11, 2022 •153 likes •459 views

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee ENS de Lyon June 27, 2019 Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23 Approximate Common-Divisor

  1. A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee ENS de Lyon June 27, 2019 Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23

  2. Approximate Common-Divisor Problem[HG01] Partial Approximate Common Divisor problem(PACD): a 0 = pq 0 = pq 1 + r 1 ≡ r 1 mod p a 1 . . . . . . = pq ℓ + r ℓ ≡ r ℓ mod p a ℓ where p is a big secret prime and r i ≪ p . Question : Given ( a 0 , . . . , a ℓ ), Can we recover p ? Answer : SDA, OLA, Coppersmith Method Changmin Lee Analysis of CRT-ACD June 27, 2019 2 / 23

  3. Approximate Common-Divisor Problem[HG01] Partial Approximate Common Divisor problem(PACD): a 0 = pq 0 = pq 1 + r 1 ≡ r 1 mod p a 1 . . . . . . = pq ℓ + r ℓ ≡ r ℓ mod p a ℓ where p is a big secret prime and r i ≪ p . Question : Given ( a 0 , . . . , a ℓ ), Can we recover p ? Answer : SDA, OLA, Coppersmith Method Changmin Lee Analysis of CRT-ACD June 27, 2019 2 / 23

  4. Approximate Common-Divisor Problem[HG01] Application: J.-S. Coron, A. Mandal, D. Naccache, M. Tibouchi. Fully homomorphic encryption over the integers with shorter public keys. CRYPTO 2011. J.-S. Coron, D. Naccache, M. Tibouchi. Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. EUROCRYPT 2012. J. H. Cheon, D. Stehle. Fully Homomorphic Encryption over the Integers Revisited. EUROCRYPT 2015. Changmin Lee Analysis of CRT-ACD June 27, 2019 3 / 23

  5. Chinese Remainder Theorem-ACD Problem[CCK+13] CRT-ACD (Simple version): n � = N p i i =1 ≡ r i 1 mod p i a 1 . . . ≡ r i ℓ mod p i a ℓ where p i are big secret primes ( η -bit) and r ij ( ρ -bit) ≪ p i . Question : Given ( N , a 1 , . . . , a ℓ ), Can we recover p i ? What if n = 2 ? Changmin Lee Analysis of CRT-ACD June 27, 2019 4 / 23

  6. Chinese Remainder Theorem-ACD Problem[CCK+13] CRT-ACD (Simple version): n � = N p i i =1 ≡ r i 1 mod p i a 1 . . . ≡ r i ℓ mod p i a ℓ where p i are big secret primes ( η -bit) and r ij ( ρ -bit) ≪ p i . Question : Given ( N , a 1 , . . . , a ℓ ), Can we recover p i ? What if n = 2 ? Changmin Lee Analysis of CRT-ACD June 27, 2019 4 / 23

  7. Chinese Remainder Theorem-ACD Problem[CCK+13] Application: J. H. Cheon, J.-S. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, A. Yun. Batch Fully Homomorphic Encryption over the Integers. EUROCRYPT 2013. J.-S. Coron, T. Lepoint, M. Tibouchi, Practical Multilinear Maps over the Integers. CRYPTO13 J.-S. Coron, T. Lepoint, M. Tibouchi, New Multilinear Maps Over the Integers. CRYPTO15 Changmin Lee Analysis of CRT-ACD June 27, 2019 5 / 23

  8. Varinant of Chinese Remainder Theorem-ACD Problem CRT-ACD with a dual instance(CRT-ACDwDI): n � = N p i i =1 ≡ r i 1 mod p i a 1 . . . ≡ r i ℓ mod p i a ℓ � = d i · N / p i D i where p i are big secret primes ( η -bit) and r ij ( ρ -bit) , d i ≪ p i . Question : Given ( N , a 1 , . . . , a ℓ , D ), Can we recover p i ? Answer : Yes! Changmin Lee Analysis of CRT-ACD June 27, 2019 6 / 23

  9. Varinant of Chinese Remainder Theorem-ACD Problem CRT-ACD with a dual instance(CRT-ACDwDI): n � = N p i i =1 ≡ r i 1 mod p i a 1 . . . ≡ r i ℓ mod p i a ℓ � = d i · N / p i D i where p i are big secret primes ( η -bit) and r ij ( ρ -bit) , d i ≪ p i . Question : Given ( N , a 1 , . . . , a ℓ , D ), Can we recover p i ? Answer : Yes! Changmin Lee Analysis of CRT-ACD June 27, 2019 6 / 23

  10. Result Current Status There are 3 types of algorithms for solving PACD Algorithms for PACD cannot be applied to CRT-ACD . There is no algebraic algorithm to solve the CRT-ACD problem. It is not known which parameter is safe. CRT-ACDwDI is solved in polynomial time in n , η [CHLRS15]. Our results We present an algorithm to solve the CRT-ACD problem It is solved in polynomial time if n ≤ η − 4 · ρ . We provide the first guideline to set n . Changmin Lee Analysis of CRT-ACD June 27, 2019 7 / 23

  11. Result Current Status There are 3 types of algorithms for solving PACD Algorithms for PACD cannot be applied to CRT-ACD . There is no algebraic algorithm to solve the CRT-ACD problem. It is not known which parameter is safe. CRT-ACDwDI is solved in polynomial time in n , η [CHLRS15]. Our results We present an algorithm to solve the CRT-ACD problem It is solved in polynomial time if n ≤ η − 4 · ρ . We provide the first guideline to set n . Changmin Lee Analysis of CRT-ACD June 27, 2019 7 / 23

  12. Cryptanalysis of CRT-ACD Changmin Lee Analysis of CRT-ACD June 27, 2019 8 / 23

  13. Notation Notation: � − 1 n p i , 1 n � � � CRT ( p i ) ( r i ) defined as the unique integer in p i 2 2 i =1 i =1 which is congruent to r i mod p i for all i ∈ { 1 , . . . , n } n � N = p i i =1 p i = N / p i . ˆ Note that we assume n = 2 for the sake of simplicity. So we use the notation CRT ( p 1 , p 2 ) ( r i , 1 , r i , 2 ) as well. Changmin Lee Analysis of CRT-ACD June 27, 2019 9 / 23

  14. Definition of CRT-ACD and Dual instance Definition (CRT-ACD Problem, Simple version) Let p 1 and p 2 be η -bit integers and r i , 1 and r i , 2 be ρ -bit integers with ρ < η . The CRT-ACD problem is: Given many samples CRT ( p 1 , p 2 ) ( r i , 1 , r i , 2 ) and N , find p 1 , p 2 . Definition (Dual instance, Simple version) Let p 1 and p 2 be parameters of CRT-ACD problem. Dual instance of CRT-ACD is defined as an integer that is expressed in the following form. n � D = d i · ˆ p i = d 1 · p 2 + d 2 · p 1 , i where | d i | ≤ 2 η − 3 ρ − log n = 2 η − 3 ρ − log 2 . Changmin Lee Analysis of CRT-ACD June 27, 2019 10 / 23

  15. Attack Outline Our results We present an algorithm to solve the CRT-ACD problem Our algorithm consists of 2 steps The first step is to obtain a dual instance only from the CRT-ACD samples. Using the previous algorithm for CRT-ACDwDI, all the factors p i can be recovered. Changmin Lee Analysis of CRT-ACD June 27, 2019 11 / 23

  16. Observation Put b j := CRT ( p 1 , p 2 ) ( r j , 1 , r j , 2 ) = p 1 · q j , 1 + r j , 1 = p 2 · q j , 2 + r j , 2 . For any dual instance d = d 1 · ˆ p 1 + d 2 · ˆ p 2 , the followings hold: [ d · b j ] N ≡ [ d 1 · ˆ p 1 · ( p 1 · q j , 1 + r j , 1 ) + d 2 · ˆ p 2 · ( p 2 · q j , 2 + r j , 2 )] N ≡ [ d 1 · ˆ p 1 · r j , 1 + d 2 · ˆ p 2 · r j , 2 ] N = d 1 · ˆ p 1 · r j , 1 + d 2 · ˆ p 2 · r j , 2 Small! compared to N p i | ≤ 2 2 η − 2 ρ ≪ N / 2 | � 2 ∵ | d i | ≤ 2 η − 3 ρ − log 2 , i =1 d i · r j , i · ˆ Changmin Lee Analysis of CRT-ACD June 27, 2019 12 / 23

  17. Step 1: How to find a dual instance Consider a lattice L generated by the following matrix:   1 0 0 0 0 0 0 0 b 1 N     B = b 2 0 N 0 0     0 0 0 b 3 N   b 4 0 0 0 N ([ d ] N , [ d · b 1 ] N , [ d · b 2 ] N , [ d · b 3 ] N , [ d · b 4 ] N ) T is a short vector in a lattice L if d is a dual instance. We will show that the first entry of any short vectors in a lattice L is a dual instance. Changmin Lee Analysis of CRT-ACD June 27, 2019 13 / 23

  18. Step 1: Idea Sketch Let E = ( E 1 , E 2 , E 3 , E 4 , E 5 ) T be a lattice point of L . We hold: For any element E 1 ∈ Z can be written as e 1 · ˆ p 1 + e 2 · ˆ p 2 . E i = [ E 1 · b i ] N = e 1 · r i , 1 · ˆ p 1 + e 2 · r i , 2 · ˆ p 2 mod N . Hence, we have the following relation: E = ( E 1 , E 2 , E 3 , E 4 , E 5 ) � ˆ � � 1 � 0 p 1 r 1 , 1 r 2 , 1 r 3 , 1 r 4 , 1 = ( e 1 , e 2 ) · · 0 ˆ 1 p 2 r 1 , 2 r 2 , 2 r 3 , 2 r 4 , 2 E · ˆ = P · R mod N We want to show that � E · ˆ P mod N � ∞ is small. It implies that � E � ∞ is small. Changmin Lee Analysis of CRT-ACD June 27, 2019 14 / 23

  19. Step 1: Idea Sketch Let E = ( E 1 , E 2 , E 3 , E 4 , E 5 ) T be a lattice point of L . We hold: For any element E 1 ∈ Z can be written as e 1 · ˆ p 1 + e 2 · ˆ p 2 . E i = [ E 1 · b i ] N = e 1 · r i , 1 · ˆ p 1 + e 2 · r i , 2 · ˆ p 2 mod N . Hence, we have the following relation: E = ( E 1 , E 2 , E 3 , E 4 , E 5 ) � ˆ � � 1 � 0 p 1 r 1 , 1 r 2 , 1 r 3 , 1 r 4 , 1 = ( e 1 , e 2 ) · · 0 ˆ 1 p 2 r 1 , 2 r 2 , 2 r 3 , 2 r 4 , 2 E · ˆ = P · R mod N We want to show that � E · ˆ P mod N � ∞ is small. It implies that � E � ∞ is small. Changmin Lee Analysis of CRT-ACD June 27, 2019 14 / 23

  20. Step 1: Idea Sketch We obtain the inequality as follows: � E · R − 1 mod N � ∞ ≤ � E · R − 1 � ∞ � E · ˆ P mod N � ∞ = � E � ∞ · � R − 1 � ∞ · n , ≤ where R − 1 is a right inverse of R . We show that the smallness of � E � ∞ with a lattice reduction algorithm. (It is possible when n ≤ η − 4 · ρ .) � R − 1 � ∞ with Gaussian Heuristics. From the equation, the size of e i · ˆ p i is bounded for all i . Changmin Lee Analysis of CRT-ACD June 27, 2019 15 / 23

  21. Result Let n , η, ρ be parameters of the CRT-ACD Problem. When 2 n instances are given, we can find a dual instance under the condition n ≤ η − 4 ρ in polynomial time with LLL algorithm 2 log β · ( η − 4 ρ ) in 2 O ( β ) time with BKZ algorithm β − 1 n ≤ Changmin Lee Analysis of CRT-ACD June 27, 2019 16 / 23

Recommend

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants Nicolas Jozefowiez 1 , Gilbert Laporte 2 , Fr eric Semet 3 ed 1. LAAS-CNRS, INSA, Universit e de Toulouse, Toulouse, France,

345 views • 21 slides
Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem Classification How many meshes? Two: Pairwise registration More than two: multi-view registration Initial registration available? Yes: Local

1.1k views • 50 slides
The EM Algorithm The EM algorithm Mixture models Why EM works EM variants Learning

The EM Algorithm The EM algorithm Mixture models Why EM works EM variants Learning

Preview The EM Algorithm The EM algorithm Mixture models Why EM works EM variants Learning with Missing Data The EM Algorithm Goal: Learn parameters of Bayes net with known structure Initialize parameters ignoring missing

363 views • 3 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger University of Basel April 29, 2020 Other Halting Problem Variants Rices Theorem Summary Other Halting Problem Variants Other Halting

675 views • 45 slides
On algebraic variants of the LWE problem Damien Stehl e Based on joint works with M. Rosca, A.

On algebraic variants of the LWE problem Damien Stehl e Based on joint works with M. Rosca, A.

Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion On algebraic variants of the LWE problem Damien Stehl e Based on joint works with M. Rosca, A. Sakzad, R. Steinfeld and A. Wallet Figures borrowed from M. Rosca and A.

1.04k views • 64 slides
Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does this Algorithm Analysis code solve that problem? Could try to measure the time it takes, but &quot; bit twiddling: 1. (pejorative) An exercise

396 views • 15 slides
Noise Tolerant Variants of the Perceptron Algorithm Roni Khardon RONI @ CS . TUFTS . EDU Gabriel

Noise Tolerant Variants of the Perceptron Algorithm Roni Khardon RONI @ CS . TUFTS . EDU Gabriel

Journal of Machine Learning Research 8 (2007) 227-248 Submitted 11/05; Revised 10/06; Published 2/07 Noise Tolerant Variants of the Perceptron Algorithm Roni Khardon RONI @ CS . TUFTS . EDU Gabriel Wachman GWACHM 01@ CS . TUFTS . EDU Department

449 views • 22 slides
Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin Department of Mathematics, Iowa State University Feb 9, 2017 Final Defense Zero forcing and their applns to the min rank problem 1/47 Department

1.24k views • 92 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
Algorithm Analysis October 12, 2016 CMPE 250 Algorithm Analysis October 12, 2016 1 / 66

Algorithm Analysis October 12, 2016 CMPE 250 Algorithm Analysis October 12, 2016 1 / 66

Algorithm Analysis October 12, 2016 CMPE 250 Algorithm Analysis October 12, 2016 1 / 66 Problem Solving: Main Steps Problem definition 1 Algorithm design / Algorithm specification 2 Algorithm analysis 3 Implementation 4 Testing 5

943 views • 66 slides
Dijkstras Algorithm Problem Solving Club February 1, 2017 Dijkstras algorithm

Dijkstras Algorithm Problem Solving Club February 1, 2017 Dijkstras algorithm

Dijkstras Algorithm Problem Solving Club February 1, 2017 Dijkstras algorithm Dijkstras is a greedy algorithm that finds shortest paths from a single source to every other vertex in the graph. As usually implemented: Works

360 views • 22 slides
Software Development Method 1. Specify the problem requirements 2. Analyze the problem

Software Development Method 1. Specify the problem requirements 2. Analyze the problem

Software Development Method 1. Specify the problem requirements 2. Analyze the problem Algorithms 3. Design the algorithm to solve the problem 4. Implement the algorithm 5. Test and verify the completed program 6. Maintain and update the

145 views • 3 slides
Algorithms http://cs.mst.edu What is an algorithm? An algorithm is a clear, concise, and

Algorithms http://cs.mst.edu What is an algorithm? An algorithm is a clear, concise, and

Algorithms http://cs.mst.edu What is an algorithm? An algorithm is a clear, concise, and correct step- by-step sequence of actions used to solve a problem or set of problems http://cs.mst.edu Example 1 Problem Write an algorithm that

309 views • 9 slides
Which Value x Analysis of the Problem Towards an Algorithm Best Represents Resulting

Which Value x Analysis of the Problem Towards an Algorithm Best Represents Resulting

Need to Combine . . . Utility-Based Approach Case of Interval . . . Which Value x Analysis of the Problem Towards an Algorithm Best Represents Resulting Algorithm What Is the . . . a Sample x 1 , . . . , x n : Acknowledgments

617 views • 15 slides
A deterministic algorithm for stochastic multistage problems or The problem-child algorithm

A deterministic algorithm for stochastic multistage problems or The problem-child algorithm

A deterministic algorithm for stochastic multistage problems or The problem-child algorithm Regan Baucke, Anthony Downward, Golbon Zakeri CERMICS, Ecole des Ponts ParisTech reganbaucke.github.io CMS and MMEI 2019 27 th March 2019 Stochastic

2.2k views • 156 slides
Algorithm Design An algorithm can be written out in pseudo code Then turned into source code

Algorithm Design An algorithm can be written out in pseudo code Then turned into source code

Algorithm Design An algorithm can be written out in pseudo code Then turned into source code Which is then compiled to machine code Problem Solving Algorithm: set of unambiguous instructions to solve a problem Breaking down a

459 views • 25 slides
A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May

A Parallel Algorithm for the Single-Source Shortest Path Problem Kevin Kelley, Tao Schardl May 12, 2010 Outline The Problem Dijkstras Algorithm Gabows Scaling Algorithm Optimizing Gabow Parallelizing Gabow

342 views • 23 slides
Algorithm Design Formulate the problem Design an algorithm Prove it is correct Analyze its

Algorithm Design Formulate the problem Design an algorithm Prove it is correct Analyze its

Algorithm Design Formulate the problem Design an algorithm Prove it is correct Analyze its running time Topics we have not explored Problems not in NP: planning, chess Approximation algorithms Parallel algorithms The Algorithmic Lens The

377 views • 10 slides
Algorithm Analysis CS 201 Introduction Once a correct algorithm is designed for a given

Algorithm Analysis CS 201 Introduction Once a correct algorithm is designed for a given

Algorithm Analysis CS 201 Introduction Once a correct algorithm is designed for a given problem, an important step is to determine how much in the way of resources (such as time and space) the algorithm will require You will learn how to

378 views • 20 slides
Mat 3770 Problem Bin Packing Dynamic Programming Basic Problem or Algorithm Problem

Mat 3770 Problem Bin Packing Dynamic Programming Basic Problem or Algorithm Problem

Mat 3770 Bin Packing or The Knapsack Mat 3770 Problem Bin Packing Dynamic Programming Basic Problem or Algorithm Problem Variation The Knapsack Problem Exhaustive Search Greedy Dynamic Pgmg Hierarchical Math Pgmg Spring 2014

479 views • 27 slides
What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to

What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to

What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to some desired Fundamentals: All About result Algorithms Must first decompose a problem, and then express its method of solution as a Computer

407 views • 7 slides
Algorithm Efficiency &amp; Sorting Overview Writing programs to solve problem consists of a

Algorithm Efficiency &amp; Sorting Overview Writing programs to solve problem consists of a

Algorithm Efficiency &amp; Sorting Overview Writing programs to solve problem consists of a large Algorithm efficiency number of decisions Big-O notation how to represent aspects of the problem for solution Searching algorithms

337 views • 15 slides
An Algorithm for Determining Intro to problem the Endpoints for Isolated Solution

An Algorithm for Determining Intro to problem the Endpoints for Isolated Solution

Outline An Algorithm for Determining Intro to problem the Endpoints for Isolated Solution Utterances Algorithm Summary L.R. Rabiner and M.R. Sambur The Bell System Technical Journal , Vol. 54, No. 2, Feb. 1975, pp. 297-315

65 views • 4 slides

More recommend