algebraically structured lwe revisited chris peikert
play

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin - PowerPoint PPT Presentation

Sep 06, 2022 •381 likes •954 views

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13 Algebraic Learning With Errors A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE,

  1. Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13

  2. ‘Algebraic’ Learning With Errors ◮ A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, Middle-Product-LWE, . . . 2 / 13

  3. ‘Algebraic’ Learning With Errors ◮ A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, Middle-Product-LWE, . . . ◮ Hardness supported by a web of reductions, from worst-case problems on algebraic lattices and among the problems themselves [SSTX’09,LPR’10,LS’15,L’16,PRS’17,RSSS’17,AD’17,RSW’18,BBPS’18,. . . ] 2 / 13

  4. ‘Algebraic’ Learning With Errors ◮ A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, Middle-Product-LWE, . . . ◮ Hardness supported by a web of reductions, from worst-case problems on algebraic lattices and among the problems themselves [SSTX’09,LPR’10,LS’15,L’16,PRS’17,RSSS’17,AD’17,RSW’18,BBPS’18,. . . ] 2 / 13

  5. ‘Algebraic’ Learning With Errors ◮ A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, Middle-Product-LWE, . . . ◮ Hardness supported by a web of reductions, from worst-case problems on algebraic lattices and among the problems themselves [SSTX’09,LPR’10,LS’15,L’16,PRS’17,RSSS’17,AD’17,RSW’18,BBPS’18,. . . ] ◮ But these reductions are often difficult to understand and use: 2 / 13

  6. ‘Algebraic’ Learning With Errors ◮ A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, Middle-Product-LWE, . . . ◮ Hardness supported by a web of reductions, from worst-case problems on algebraic lattices and among the problems themselves [SSTX’09,LPR’10,LS’15,L’16,PRS’17,RSSS’17,AD’17,RSW’18,BBPS’18,. . . ] ◮ But these reductions are often difficult to understand and use: ⋆ Several steps between problems of interest ⋆ Complex analysis and parameters ⋆ Frequently large blowup and distortion of error distributions, across different metrics ⋆ Sometimes non-uniform advice that appears hard to compute 2 / 13

  7. Prior Hardness of Ring-LWE and MP-LWE (dual) O K -LWE [LPR’10,PRS’17] worst-case approx- O K -SIVP 3 / 13

  8. Prior Hardness of Ring-LWE and MP-LWE (primal) O K -LWE complex & non-uniform; [LPR’10,DD’12,RSW’18] expands error (dual) O K -LWE [LPR’10,PRS’17] worst-case approx- O K -SIVP 3 / 13

  9. Prior Hardness of Ring-LWE and MP-LWE (primal) Z [ α ] -LWE complex & non-uniform; [RSW’18] expands error by ≥ � V α � , � V − 1 α � (primal) O K -LWE complex & non-uniform; [LPR’10,DD’12,RSW’18] expands error (dual) O K -LWE [LPR’10,PRS’17] worst-case approx- O K -SIVP 3 / 13

  10. Prior Hardness of Ring-LWE and MP-LWE MP-LWE n,d for any α s.t. d ≤ deg( α ) ≤ n , [RSSS’17] expands error by ≥ d · EF ( α ) (primal) Z [ α ] -LWE complex & non-uniform; [RSW’18] expands error by ≥ � V α � , � V − 1 α � (primal) O K -LWE complex & non-uniform; [LPR’10,DD’12,RSW’18] expands error (dual) O K -LWE [LPR’10,PRS’17] worst-case approx- O K -SIVP 3 / 13

  11. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 4 / 13

  12. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 2 A unified Generalized-LWE problem class covering all proposed LWEs (over commutative rings) 4 / 13

  13. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 2 A unified Generalized-LWE problem class covering all proposed LWEs (over commutative rings) Reductions ◮ Simpler, tighter reductions among algebraic and general LWEs 4 / 13

  14. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 2 A unified Generalized-LWE problem class covering all proposed LWEs (over commutative rings) Reductions ◮ Simpler, tighter reductions among algebraic and general LWEs ⋆ All have easy-to-analyze effects on the error distribution ⋆ Some are even error preserving 4 / 13

  15. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 2 A unified Generalized-LWE problem class covering all proposed LWEs (over commutative rings) Reductions ◮ Simpler, tighter reductions among algebraic and general LWEs ⋆ All have easy-to-analyze effects on the error distribution ⋆ Some are even error preserving ◮ Error-preserving L -LWE ≤ L ′ -LWE under mild conditions on L ′ ⊆ L . 4 / 13

  16. Our Contributions Definitions 1 A unified L -LWE problem class covering all proposed algebraic LWEs (over number-field rings) 2 A unified Generalized-LWE problem class covering all proposed LWEs (over commutative rings) Reductions ◮ Simpler, tighter reductions among algebraic and general LWEs ⋆ All have easy-to-analyze effects on the error distribution ⋆ Some are even error preserving ◮ Error-preserving L -LWE ≤ L ′ -LWE under mild conditions on L ′ ⊆ L . ◮ For any order L = Z [ α ] with d ≤ deg( α ) ≤ n , Z [ α ] -LWE ≤ MP-LWE n,d with error expansion � V α � . 4 / 13

  17. New Hardness of MP-LWE MP-LWE n,d d ≤ deg( α ) ≤ n , expands by ≥ d · EF ( α ) (primal) Z [ α ] -LWE complex & non-uniform; expands by ≥ � V α � , � V − 1 α � (primal) O K -LWE complex & non-uniform; expands error (dual) O K -LWE worst-case approx- O K -SIVP 5 / 13

  18. New Hardness of MP-LWE MP-LWE n,d d ≤ deg( α ) ≤ n , expands by ≥ d · EF ( α ) (dual) Z [ α ] -LWE (primal) Z [ α ] -LWE complex & non-uniform; expands by ≥ � V α � , � V − 1 α � ( L to L ′ ) (primal) O K -LWE simple & uniform, preserves error complex & non-uniform; expands error (dual) O K -LWE worst-case approx- O K -SIVP 5 / 13

  19. New Hardness of MP-LWE simple & uniform, MP-LWE n,d expands by � V α � , d ≤ deg( α ) ≤ n d ≤ deg( α ) ≤ n , expands by ≥ d · EF ( α ) (dual) Z [ α ] -LWE (primal) Z [ α ] -LWE complex & non-uniform; expands by ≥ � V α � , � V − 1 α � ( L to L ′ ) (primal) O K -LWE simple & uniform, preserves error complex & non-uniform; expands error (dual) O K -LWE worst-case approx- O K -SIVP 5 / 13

  20. Ring-LWE and Variants Ring-LWE ◮ Let K = Q ( α ) be a number field and R = O K be its ring of integers. = Z [ x ] / ( x n + 1) for n = 2 k .) (E.g., R ∼ 6 / 13

  21. Ring-LWE and Variants Ring-LWE ◮ Let K = Q ( α ) be a number field and R = O K be its ring of integers. = Z [ x ] / ( x n + 1) for n = 2 k .) (E.g., R ∼ ◮ R -LWE q for secret s ∈ R ∨ q concerns ‘noisy random products’ � a ← R q , b ≈ s · a ∈ R ∨ � . q 6 / 13

  22. Ring-LWE and Variants Ring-LWE ◮ Let K = Q ( α ) be a number field and R = O K be its ring of integers. = Z [ x ] / ( x n + 1) for n = 2 k .) (E.g., R ∼ ◮ R -LWE q for secret s ∈ R ∨ q concerns ‘noisy random products’ � a ← R q , b ≈ s · a ∈ R ∨ � . q Order-LWE ◮ Same, but R = O is some arbitrary order of K (not necessarily O K ). 6 / 13

  23. Ring-LWE and Variants Ring-LWE ◮ Let K = Q ( α ) be a number field and R = O K be its ring of integers. = Z [ x ] / ( x n + 1) for n = 2 k .) (E.g., R ∼ ◮ R -LWE q for secret s ∈ R ∨ q concerns ‘noisy random products’ � a ← R q , b ≈ s · a ∈ R ∨ � . q Order-LWE ◮ Same, but R = O is some arbitrary order of K (not necessarily O K ). Poly-LWE ◮ Same, but R = Z [ α ] ∼ = Z [ x ] /f ( x ) and s, a, s · a ∈ R q (no dual R ∨ q ). 6 / 13

  24. New Unified Problem: L -LWE ◮ Let K = Q ( α ) be a number field and L ⊂ K any (full-rank) lattice. 7 / 13

  25. New Unified Problem: L -LWE ◮ Let K = Q ( α ) be a number field and L ⊂ K any (full-rank) lattice. ◮ The coefficient ring of L , which is an order of K , is O L := { x ∈ K : x L ⊆ L} = ( L · L ∨ ) ∨ . 7 / 13

  26. New Unified Problem: L -LWE ◮ Let K = Q ( α ) be a number field and L ⊂ K any (full-rank) lattice. ◮ The coefficient ring of L , which is an order of K , is O L := { x ∈ K : x L ⊆ L} = ( L · L ∨ ) ∨ . Note: if L is an order O or its dual O ∨ , then O L = O . 7 / 13

  27. New Unified Problem: L -LWE ◮ Let K = Q ( α ) be a number field and L ⊂ K any (full-rank) lattice. ◮ The coefficient ring of L , which is an order of K , is O L := { x ∈ K : x L ⊆ L} = ( L · L ∨ ) ∨ . Note: if L is an order O or its dual O ∨ , then O L = O . The L -LWE Problem 7 / 13

  28. New Unified Problem: L -LWE ◮ Let K = Q ( α ) be a number field and L ⊂ K any (full-rank) lattice. ◮ The coefficient ring of L , which is an order of K , is O L := { x ∈ K : x L ⊆ L} = ( L · L ∨ ) ∨ . Note: if L is an order O or its dual O ∨ , then O L = O . The L -LWE Problem ◮ L -LWE q for secret s ∈ L ∨ q concerns noisy products a ← O L q , b ≈ s · a ∈ L ∨ � � . q 7 / 13

Recommend

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

1.36k views • 98 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .

1.02k views • 50 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ13,BW13,BGI14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15 Constrained

916 views • 60 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+ 1 May 2019 1 / 15 Zero Knowledge [GoldwasserMicaliRackoff85] Zero-knowledge (interactive) proof for language L : allows a prover P to

1.21k views • 89 slides
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval (

1.03k views • 50 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School 12 Oct 2015 1 / 14 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval ( f ) f ( ) A cryptographic holy

1.01k views • 66 slides
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short Generator of a Principal Ideal

418 views • 23 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides

More recommend