algorithms for breakthrough stoc 2009 gentry
play

Algorithms for Breakthrough STOC 2009 Gentry multiquadratic number - PowerPoint PPT Presentation

Jan 06, 2023 •162 likes •2.01k views

1 2 Algorithms for Breakthrough STOC 2009 Gentry multiquadratic number fields cryptosystem Fully homomorphic encryption using ideal lattices D. J. Bernstein was broken several years later, under reasonable assumptions. Jens Bauch,

  1. 3 4 Compare to 2013 Lyubashevsky– Secret key in Gentry’s system: Peikert–Regev: “All of the short element g of R . algebraic and algorithmic tools R : e.g., ring of integers O K (including quantum computation) of a cyclotomic field K . that we employ : : : can also be Public key: ideal gR . brought to bear against SVP and other problems on ideal lattices. Attack stage 1, quantum: Yet despite considerable effort, no SODA 2016 Biasse–Song significant progress in attacking finds some generator of gR . these problems has been made. Builds on Eisentr¨ ager–Hallgren– The best known algorithms for Kitaev–Song algorithm for R ∗ . ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

  2. 3 4 Compare to 2013 Lyubashevsky– Secret key in Gentry’s system: Peikert–Regev: “All of the short element g of R . algebraic and algorithmic tools R : e.g., ring of integers O K (including quantum computation) of a cyclotomic field K . that we employ : : : can also be Public key: ideal gR . brought to bear against SVP and other problems on ideal lattices. Attack stage 1, quantum: Yet despite considerable effort, no SODA 2016 Biasse–Song significant progress in attacking finds some generator of gR . these problems has been made. Builds on Eisentr¨ ager–Hallgren– The best known algorithms for Kitaev–Song algorithm for R ∗ . ideal lattices perform essentially Attack stage 2, cyclotomic: no better than their generic simple reduction algorithm from counterparts, both in theory and 2014 Campbell–Groves–Shepherd. in practice.”

  3. 3 4 Compare to 2013 Lyubashevsky– Secret key in Gentry’s system: Standard ert–Regev: “All of the short element g of R . view of all raic and algorithmic tools i.e., all u R : e.g., ring of integers O K (including quantum computation) Log u ranges of a cyclotomic field K . e employ : : : can also be Dirichlet’s Public key: ideal gR . rought to bear against SVP and Log ug = problems on ideal lattices. Attack stage 1, quantum: despite considerable effort, no SODA 2016 Biasse–Song significant progress in attacking finds some generator of gR . problems has been made. Builds on Eisentr¨ ager–Hallgren– est known algorithms for Kitaev–Song algorithm for R ∗ . lattices perform essentially Attack stage 2, cyclotomic: etter than their generic simple reduction algorithm from counterparts, both in theory and 2014 Campbell–Groves–Shepherd. ractice.”

  4. 3 4 2013 Lyubashevsky– Secret key in Gentry’s system: Standard algebraic- “All of the short element g of R . view of all generato algorithmic tools i.e., all ug where u R : e.g., ring of integers O K quantum computation) Log u ranges over of a cyclotomic field K . : : : can also be Dirichlet’s log-unit Public key: ideal gR . against SVP and Log ug = Log u + on ideal lattices. Attack stage 1, quantum: considerable effort, no SODA 2016 Biasse–Song ogress in attacking finds some generator of gR . has been made. Builds on Eisentr¨ ager–Hallgren– algorithms for Kitaev–Song algorithm for R ∗ . erform essentially Attack stage 2, cyclotomic: their generic simple reduction algorithm from oth in theory and 2014 Campbell–Groves–Shepherd.

  5. 3 4 Lyubashevsky– Secret key in Gentry’s system: Standard algebraic-number-theo short element g of R . view of all generators of gR , i.e., all ug where u ∈ R ∗ : tools R : e.g., ring of integers O K utation) Log u ranges over of a cyclotomic field K . also be Dirichlet’s log-unit lattice; Public key: ideal gR . SVP and Log ug = Log u + Log g . lattices. Attack stage 1, quantum: effort, no SODA 2016 Biasse–Song attacking finds some generator of gR . made. Builds on Eisentr¨ ager–Hallgren– rithms for Kitaev–Song algorithm for R ∗ . essentially Attack stage 2, cyclotomic: generic simple reduction algorithm from ry and 2014 Campbell–Groves–Shepherd.

  6. 4 5 Secret key in Gentry’s system: Standard algebraic-number-theory short element g of R . view of all generators of gR , i.e., all ug where u ∈ R ∗ : R : e.g., ring of integers O K Log u ranges over of a cyclotomic field K . Dirichlet’s log-unit lattice; Public key: ideal gR . Log ug = Log u + Log g . Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR . Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R ∗ . Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

  7. 4 5 Secret key in Gentry’s system: Standard algebraic-number-theory short element g of R . view of all generators of gR , i.e., all ug where u ∈ R ∗ : R : e.g., ring of integers O K Log u ranges over of a cyclotomic field K . Dirichlet’s log-unit lattice; Public key: ideal gR . Log ug = Log u + Log g . Attack stage 1, quantum: Given any generator ug , try to SODA 2016 Biasse–Song find short Log g by finding lattice finds some generator of gR . vector Log u close to Log ug . Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R ∗ . Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

  8. 4 5 Secret key in Gentry’s system: Standard algebraic-number-theory short element g of R . view of all generators of gR , i.e., all ug where u ∈ R ∗ : R : e.g., ring of integers O K Log u ranges over of a cyclotomic field K . Dirichlet’s log-unit lattice; Public key: ideal gR . Log ug = Log u + Log g . Attack stage 1, quantum: Given any generator ug , try to SODA 2016 Biasse–Song find short Log g by finding lattice finds some generator of gR . vector Log u close to Log ug . Builds on Eisentr¨ ager–Hallgren– Apply, e.g., embedding or Babai, Kitaev–Song algorithm for R ∗ . starting from basis for Log R ∗ ? Attack stage 2, cyclotomic: Hard to find short enough basis, simple reduction algorithm from unless g is extremely short. 2014 Campbell–Groves–Shepherd.

  9. 4 5 key in Gentry’s system: Standard algebraic-number-theory For cyclotomic element g of R . view of all generators of gR , often u is i.e., all ug where u ∈ R ∗ : Known textb e.g., ring of integers O K Log u ranges over cyclotomic cyclotomic field K . Dirichlet’s log-unit lattice; key: ideal gR . Log ug = Log u + Log g . stage 1, quantum: Given any generator ug , try to 2016 Biasse–Song find short Log g by finding lattice some generator of gR . vector Log u close to Log ug . on Eisentr¨ ager–Hallgren– Apply, e.g., embedding or Babai, Kitaev–Song algorithm for R ∗ . starting from basis for Log R ∗ ? stage 2, cyclotomic: Hard to find short enough basis, reduction algorithm from unless g is extremely short. Campbell–Groves–Shepherd.

  10. 4 5 Gentry’s system: Standard algebraic-number-theory For cyclotomic fields, of R . view of all generators of gR , often u is a “cyclotomic i.e., all ug where u ∈ R ∗ : Known textbook basis integers O K Log u ranges over cyclotomic units is field K . Dirichlet’s log-unit lattice; ideal gR . Log ug = Log u + Log g . quantum: Given any generator ug , try to Biasse–Song find short Log g by finding lattice generator of gR . vector Log u close to Log ug . Eisentr¨ ager–Hallgren– Apply, e.g., embedding or Babai, algorithm for R ∗ . starting from basis for Log R ∗ ? cyclotomic: Hard to find short enough basis, algorithm from unless g is extremely short. ell–Groves–Shepherd.

  11. 4 5 system: Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for K Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Log ug = Log u + Log g . Given any generator ug , try to find short Log g by finding lattice . vector Log u close to Log ug . ager–Hallgren– Apply, e.g., embedding or Babai, R ∗ . starting from basis for Log R ∗ ? cyclotomic: Hard to find short enough basis, from unless g is extremely short. ell–Groves–Shepherd.

  12. 5 6 Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Log ug = Log u + Log g . Given any generator ug , try to find short Log g by finding lattice vector Log u close to Log ug . Apply, e.g., embedding or Babai, starting from basis for Log R ∗ ? Hard to find short enough basis, unless g is extremely short.

  13. 5 6 Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Take, e.g., “ = exp(2 ıi= 1024); Log ug = Log u + Log g . field Q ( “ ); ring R = Z [ “ ]. Given any generator ug , try to find short Log g by finding lattice vector Log u close to Log ug . Apply, e.g., embedding or Babai, starting from basis for Log R ∗ ? Hard to find short enough basis, unless g is extremely short.

  14. 5 6 Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Take, e.g., “ = exp(2 ıi= 1024); Log ug = Log u + Log g . field Q ( “ ); ring R = Z [ “ ]. Given any generator ug , try to ( “ 3 − 1) = ( “ − 1) is a unit: find short Log g by finding lattice directly invert, or apply “ �→ “ 3 vector Log u close to Log ug . automorphism to factors of “ − 1. Apply, e.g., embedding or Babai, starting from basis for Log R ∗ ? Hard to find short enough basis, unless g is extremely short.

  15. 5 6 Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Take, e.g., “ = exp(2 ıi= 1024); Log ug = Log u + Log g . field Q ( “ ); ring R = Z [ “ ]. Given any generator ug , try to ( “ 3 − 1) = ( “ − 1) is a unit: find short Log g by finding lattice directly invert, or apply “ �→ “ 3 vector Log u close to Log ug . automorphism to factors of “ − 1. Apply, e.g., embedding or Babai, ( “ 9 − 1) = ( “ 3 − 1) is a unit. starting from basis for Log R ∗ ? ( “ 27 − 1) = ( “ 9 − 1) is a unit. Hard to find short enough basis, Et cetera. Obtain short basis. unless g is extremely short.

  16. 5 6 Standard algebraic-number-theory For cyclotomic fields, view of all generators of gR , often u is a “cyclotomic unit”. i.e., all ug where u ∈ R ∗ : Known textbook basis for Log u ranges over cyclotomic units is a short basis. Dirichlet’s log-unit lattice; Take, e.g., “ = exp(2 ıi= 1024); Log ug = Log u + Log g . field Q ( “ ); ring R = Z [ “ ]. Given any generator ug , try to ( “ 3 − 1) = ( “ − 1) is a unit: find short Log g by finding lattice directly invert, or apply “ �→ “ 3 vector Log u close to Log ug . automorphism to factors of “ − 1. Apply, e.g., embedding or Babai, ( “ 9 − 1) = ( “ 3 − 1) is a unit. starting from basis for Log R ∗ ? ( “ 27 − 1) = ( “ 9 − 1) is a unit. Hard to find short enough basis, Et cetera. Obtain short basis. unless g is extremely short. Now embedding easily finds g .

  17. 5 6 Standard algebraic-number-theory For cyclotomic fields, Are you of all generators of gR , often u is a “cyclotomic unit”. Try to dismiss all ug where u ∈ R ∗ : Known textbook basis for Ask: Do ranges over cyclotomic units is a short basis. • the gR Dirichlet’s log-unit lattice; • Gentry’s Take, e.g., “ = exp(2 ıi= 1024); = Log u + Log g . • the origin field Q ( “ ); ring R = Z [ “ ]. multilinea any generator ug , try to ( “ 3 − 1) = ( “ − 1) is a unit: really matter short Log g by finding lattice directly invert, or apply “ �→ “ 3 Log u close to Log ug . automorphism to factors of “ − 1. e.g., embedding or Babai, ( “ 9 − 1) = ( “ 3 − 1) is a unit. rting from basis for Log R ∗ ? ( “ 27 − 1) = ( “ 9 − 1) is a unit. to find short enough basis, Et cetera. Obtain short basis. g is extremely short. Now embedding easily finds g .

  18. 5 6 aic-number-theory For cyclotomic fields, Are you a lattice salesm generators of gR , often u is a “cyclotomic unit”. Try to dismiss lattice where u ∈ R ∗ : Known textbook basis for Ask: Do attacks against over cyclotomic units is a short basis. • the gR �→ g problem, log-unit lattice; • Gentry’s original Take, e.g., “ = exp(2 ıi= 1024); + Log g . • the original Garg–Gentry–Halevi field Q ( “ ); ring R = Z [ “ ]. multilinear maps, generator ug , try to ( “ 3 − 1) = ( “ − 1) is a unit: really matter for users? by finding lattice directly invert, or apply “ �→ “ 3 close to Log ug . automorphism to factors of “ − 1. edding or Babai, ( “ 9 − 1) = ( “ 3 − 1) is a unit. basis for Log R ∗ ? ( “ 27 − 1) = ( “ 9 − 1) is a unit. rt enough basis, Et cetera. Obtain short basis. extremely short. Now embedding easily finds g .

  19. 5 6 er-theory For cyclotomic fields, Are you a lattice salesman? R , often u is a “cyclotomic unit”. Try to dismiss lattice attacks. Known textbook basis for Ask: Do attacks against cyclotomic units is a short basis. • the gR �→ g problem, • Gentry’s original FHE system, Take, e.g., “ = exp(2 ıi= 1024); • the original Garg–Gentry–Halevi field Q ( “ ); ring R = Z [ “ ]. multilinear maps, : : : try to ( “ 3 − 1) = ( “ − 1) is a unit: really matter for users? lattice directly invert, or apply “ �→ “ 3 g . automorphism to factors of “ − 1. Babai, ( “ 9 − 1) = ( “ 3 − 1) is a unit. R ∗ ? ( “ 27 − 1) = ( “ 9 − 1) is a unit. basis, Et cetera. Obtain short basis. rt. Now embedding easily finds g .

  20. 6 7 For cyclotomic fields, Are you a lattice salesman? often u is a “cyclotomic unit”. Try to dismiss lattice attacks. Known textbook basis for Ask: Do attacks against cyclotomic units is a short basis. • the gR �→ g problem, • Gentry’s original FHE system, Take, e.g., “ = exp(2 ıi= 1024); • the original Garg–Gentry–Halevi field Q ( “ ); ring R = Z [ “ ]. multilinear maps, : : : ( “ 3 − 1) = ( “ − 1) is a unit: really matter for users? directly invert, or apply “ �→ “ 3 automorphism to factors of “ − 1. ( “ 9 − 1) = ( “ 3 − 1) is a unit. ( “ 27 − 1) = ( “ 9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g .

  21. 6 7 For cyclotomic fields, Are you a lattice salesman? often u is a “cyclotomic unit”. Try to dismiss lattice attacks. Known textbook basis for Ask: Do attacks against cyclotomic units is a short basis. • the gR �→ g problem, • Gentry’s original FHE system, Take, e.g., “ = exp(2 ıi= 1024); • the original Garg–Gentry–Halevi field Q ( “ ); ring R = Z [ “ ]. multilinear maps, : : : ( “ 3 − 1) = ( “ − 1) is a unit: really matter for users? directly invert, or apply “ �→ “ 3 My response to the salesman: automorphism to factors of “ − 1. Maybe not—but this problem ( “ 9 − 1) = ( “ 3 − 1) is a unit. is a natural starting point for ( “ 27 − 1) = ( “ 9 − 1) is a unit. studying other lattice problems Et cetera. Obtain short basis. that we certainly care about. Now embedding easily finds g . “Canary in the coal mine.”

  22. 6 7 cyclotomic fields, Are you a lattice salesman? “Exact Ideal-SVP”: u is a “cyclotomic unit”. Try to dismiss lattice attacks. I �→ shortest textbook basis for Ask: Do attacks against “Approximate cyclotomic units is a short basis. • the gR �→ g problem, I �→ short • Gentry’s original FHE system, e.g., “ = exp(2 ıi= 1024); • the original Garg–Gentry–Halevi ( “ ); ring R = Z [ “ ]. multilinear maps, : : : 1) = ( “ − 1) is a unit: really matter for users? directly invert, or apply “ �→ “ 3 My response to the salesman: automorphism to factors of “ − 1. Maybe not—but this problem 1) = ( “ 3 − 1) is a unit. is a natural starting point for 1) = ( “ 9 − 1) is a unit. studying other lattice problems cetera. Obtain short basis. that we certainly care about. embedding easily finds g . “Canary in the coal mine.”

  23. 6 7 fields, Are you a lattice salesman? “Exact Ideal-SVP”: “cyclotomic unit”. Try to dismiss lattice attacks. I �→ shortest nonzero basis for Ask: Do attacks against “Approximate Ideal-SVP”: is a short basis. • the gR �→ g problem, I �→ short nonzero • Gentry’s original FHE system, exp(2 ıi= 1024); • the original Garg–Gentry–Halevi R = Z [ “ ]. multilinear maps, : : : is a unit: really matter for users? r apply “ �→ “ 3 My response to the salesman: to factors of “ − 1. Maybe not—but this problem 1) is a unit. is a natural starting point for 1) is a unit. studying other lattice problems Obtain short basis. that we certainly care about. easily finds g . “Canary in the coal mine.”

  24. 6 7 Are you a lattice salesman? “Exact Ideal-SVP”: unit”. Try to dismiss lattice attacks. I �→ shortest nonzero vector Ask: Do attacks against “Approximate Ideal-SVP”: basis. • the gR �→ g problem, I �→ short nonzero vector in • Gentry’s original FHE system, 1024); • the original Garg–Gentry–Halevi multilinear maps, : : : really matter for users? �→ “ 3 My response to the salesman: of “ − 1. Maybe not—but this problem unit. is a natural starting point for unit. studying other lattice problems basis. that we certainly care about. finds g . “Canary in the coal mine.”

  25. 7 8 Are you a lattice salesman? “Exact Ideal-SVP”: Try to dismiss lattice attacks. I �→ shortest nonzero vector in I . Ask: Do attacks against “Approximate Ideal-SVP”: • the gR �→ g problem, I �→ short nonzero vector in I . • Gentry’s original FHE system, • the original Garg–Gentry–Halevi multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

  26. 7 8 Are you a lattice salesman? “Exact Ideal-SVP”: Try to dismiss lattice attacks. I �→ shortest nonzero vector in I . Ask: Do attacks against “Approximate Ideal-SVP”: • the gR �→ g problem, I �→ short nonzero vector in I . • Gentry’s original FHE system, Attack is against ideal I • the original Garg–Gentry–Halevi with a short generator . multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

  27. 7 8 Are you a lattice salesman? “Exact Ideal-SVP”: Try to dismiss lattice attacks. I �→ shortest nonzero vector in I . Ask: Do attacks against “Approximate Ideal-SVP”: • the gR �→ g problem, I �→ short nonzero vector in I . • Gentry’s original FHE system, Attack is against ideal I • the original Garg–Gentry–Halevi with a short generator . multilinear maps, : : : really matter for users? 2015 Peikert says idea is “useless” for more general principal ideals: My response to the salesman: “We simply hadn’t realized Maybe not—but this problem that the added guarantee of a is a natural starting point for short generator would transform studying other lattice problems the technique from useless to that we certainly care about. devastatingly effective.” “Canary in the coal mine.”

  28. 7 8 ou a lattice salesman? “Exact Ideal-SVP”: 2015 Peik dismiss lattice attacks. I �→ shortest nonzero vector in I . limited to Do attacks against “Although “Approximate Ideal-SVP”: gR �→ g problem, lot of structure, I �→ short nonzero vector in I . Gentry’s original FHE system, yet found Attack is against ideal I original Garg–Gentry–Halevi attacking with a short generator . multilinear maps, : : : For commonly matter for users? principal 2015 Peikert says idea is “useless” extremely for more general principal ideals: response to the salesman: ideals. : : “We simply hadn’t realized not—but this problem not so much that the added guarantee of a natural starting point for of cyclotomics short generator would transform studying other lattice problems extra structure the technique from useless to e certainly care about. that have devastatingly effective.” ry in the coal mine.”

  29. 7 8 salesman? “Exact Ideal-SVP”: 2015 Peikert also sa lattice attacks. I �→ shortest nonzero vector in I . limited to principal against “Although cyclotomics “Approximate Ideal-SVP”: roblem, lot of structure, nob I �→ short nonzero vector in I . nal FHE system, yet found a way to Attack is against ideal I rg–Gentry–Halevi attacking Ideal-SVP/BDD with a short generator . ps, : : : For commonly used users? principal ideals are 2015 Peikert says idea is “useless” extremely small fraction for more general principal ideals: the salesman: ideals. : : : The weakness “We simply hadn’t realized this problem not so much due to that the added guarantee of a rting point for of cyclotomics, but short generator would transform lattice problems extra structure of p the technique from useless to care about. that have short generato devastatingly effective.” coal mine.”

  30. 7 8 ? “Exact Ideal-SVP”: 2015 Peikert also says idea is attacks. I �→ shortest nonzero vector in I . limited to principal ideals: “Although cyclotomics have “Approximate Ideal-SVP”: lot of structure, nobody has I �→ short nonzero vector in I . system, yet found a way to exploit it Attack is against ideal I rg–Gentry–Halevi attacking Ideal-SVP/BDD : : with a short generator . For commonly used rings, principal ideals are an 2015 Peikert says idea is “useless” extremely small fraction of all for more general principal ideals: salesman: ideals. : : : The weakness here “We simply hadn’t realized roblem not so much due to the structure that the added guarantee of a for of cyclotomics, but rather to short generator would transform roblems extra structure of principal ideals the technique from useless to out. that have short generators.” devastatingly effective.” mine.”

  31. 8 9 “Exact Ideal-SVP”: 2015 Peikert also says idea is I �→ shortest nonzero vector in I . limited to principal ideals: “Although cyclotomics have a “Approximate Ideal-SVP”: lot of structure, nobody has I �→ short nonzero vector in I . yet found a way to exploit it in Attack is against ideal I attacking Ideal-SVP/BDD : : : with a short generator . For commonly used rings, principal ideals are an 2015 Peikert says idea is “useless” extremely small fraction of all for more general principal ideals: ideals. : : : The weakness here is “We simply hadn’t realized not so much due to the structure that the added guarantee of a of cyclotomics, but rather to the short generator would transform extra structure of principal ideals the technique from useless to that have short generators.” devastatingly effective.”

  32. 8 9 “Exact Ideal-SVP”: 2015 Peikert also says idea is Actually, shortest nonzero vector in I . limited to principal ideals: attacks fa “Although cyclotomics have a roximate Ideal-SVP”: 2016 Cramer–Ducas–W lot of structure, nobody has short nonzero vector in I . Ideal-SVP yet found a way to exploit it in 2 N 1 = 2+ o (1) is against ideal I attacking Ideal-SVP/BDD : : : under plausible short generator . For commonly used rings, about class-group principal ideals are an eikert says idea is “useless” Start from extremely small fraction of all re general principal ideals: more features ideals. : : : The weakness here is simply hadn’t realized not so much due to the structure the added guarantee of a of cyclotomics, but rather to the generator would transform extra structure of principal ideals technique from useless to that have short generators.” devastatingly effective.”

  33. 8 9 Ideal-SVP”: 2015 Peikert also says idea is Actually, the idea p nonzero vector in I . limited to principal ideals: attacks far beyond “Although cyclotomics have a Ideal-SVP”: 2016 Cramer–Ducas–W lot of structure, nobody has ro vector in I . Ideal-SVP attack f 2 N 1 = 2+ o (1) in deg- N yet found a way to exploit it in against ideal I attacking Ideal-SVP/BDD : : : under plausible assum nerator . For commonly used rings, about class-group principal ideals are an ys idea is “useless” Start from Biasse–Song, extremely small fraction of all principal ideals: more features of cyclotomic ideals. : : : The weakness here is hadn’t realized not so much due to the structure guarantee of a of cyclotomics, but rather to the would transform extra structure of principal ideals from useless to that have short generators.” effective.”

  34. 8 9 2015 Peikert also says idea is Actually, the idea produces vector in I . limited to principal ideals: attacks far beyond this case. “Although cyclotomics have a Ideal-SVP”: 2016 Cramer–Ducas–Wesolo lot of structure, nobody has in I . Ideal-SVP attack for approx 2 N 1 = 2+ o (1) in deg- N cyclotomics, yet found a way to exploit it in attacking Ideal-SVP/BDD : : : under plausible assumptions For commonly used rings, about class-group generators principal ideals are an “useless” Start from Biasse–Song, use extremely small fraction of all ideals: more features of cyclotomic ideals. : : : The weakness here is realized not so much due to the structure of a of cyclotomics, but rather to the nsform extra structure of principal ideals to that have short generators.”

  35. 9 10 2015 Peikert also says idea is Actually, the idea produces limited to principal ideals: attacks far beyond this case. “Although cyclotomics have a 2016 Cramer–Ducas–Wesolowski: lot of structure, nobody has Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, yet found a way to exploit it in attacking Ideal-SVP/BDD : : : under plausible assumptions For commonly used rings, about class-group generators etc. principal ideals are an Start from Biasse–Song, use extremely small fraction of all more features of cyclotomic fields. ideals. : : : The weakness here is not so much due to the structure of cyclotomics, but rather to the extra structure of principal ideals that have short generators.”

  36. 9 10 2015 Peikert also says idea is Actually, the idea produces limited to principal ideals: attacks far beyond this case. “Although cyclotomics have a 2016 Cramer–Ducas–Wesolowski: lot of structure, nobody has Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, yet found a way to exploit it in attacking Ideal-SVP/BDD : : : under plausible assumptions For commonly used rings, about class-group generators etc. principal ideals are an Start from Biasse–Song, use extremely small fraction of all more features of cyclotomic fields. ideals. : : : The weakness here is Can techniques be pushed not so much due to the structure to smaller approx factors? of cyclotomics, but rather to the Can techniques be adapted extra structure of principal ideals to break, e.g., Ring-LWE? that have short generators.”

  37. 9 10 eikert also says idea is Actually, the idea produces NIST post-quantum to principal ideals: attacks far beyond this case. 69 submissions “Although cyclotomics have a 2016 Cramer–Ducas–Wesolowski: including structure, nobody has Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, found a way to exploit it in attacking Ideal-SVP/BDD : : : under plausible assumptions commonly used rings, about class-group generators etc. rincipal ideals are an Start from Biasse–Song, use extremely small fraction of all more features of cyclotomic fields. : : : The weakness here is Can techniques be pushed much due to the structure to smaller approx factors? cyclotomics, but rather to the Can techniques be adapted structure of principal ideals to break, e.g., Ring-LWE? have short generators.”

  38. 9 10 also says idea is Actually, the idea produces NIST post-quantum rincipal ideals: attacks far beyond this case. 69 submissions (5 cyclotomics have a 2016 Cramer–Ducas–Wesolowski: including 20 lattice-based nobody has Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, to exploit it in Ideal-SVP/BDD : : : under plausible assumptions used rings, about class-group generators etc. re an Start from Biasse–Song, use fraction of all more features of cyclotomic fields. eakness here is Can techniques be pushed to the structure to smaller approx factors? but rather to the Can techniques be adapted of principal ideals to break, e.g., Ring-LWE? generators.”

  39. 9 10 is Actually, the idea produces NIST post-quantum competition attacks far beyond this case. 69 submissions (5 withdrawn), have a 2016 Cramer–Ducas–Wesolowski: including 20 lattice-based enc. has Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, it in : : : under plausible assumptions about class-group generators etc. Start from Biasse–Song, use of all more features of cyclotomic fields. here is Can techniques be pushed structure to smaller approx factors? to the Can techniques be adapted rincipal ideals to break, e.g., Ring-LWE? rs.”

  40. 10 11 Actually, the idea produces NIST post-quantum competition attacks far beyond this case. 69 submissions (5 withdrawn), 2016 Cramer–Ducas–Wesolowski: including 20 lattice-based enc. Ideal-SVP attack for approx factor 2 N 1 = 2+ o (1) in deg- N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

  41. 10 11 Actually, the idea produces NIST post-quantum competition attacks far beyond this case. 69 submissions (5 withdrawn), 2016 Cramer–Ducas–Wesolowski: including 20 lattice-based enc. Ideal-SVP attack for approx factor Most lattice-based enc systems 2 N 1 = 2+ o (1) in deg- N cyclotomics, use power-of-2 cyclotomics. under plausible assumptions Some non-power-of-2 cyclotomics: about class-group generators etc. LIMA has Φ 1019 option, “more Start from Biasse–Song, use conservative choice of field”; more features of cyclotomic fields. NTRU-HRSS-KEM uses Φ 701 ; Can techniques be pushed NTRUEncrypt uses Φ 743 etc. to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

  42. 10 11 Actually, the idea produces NIST post-quantum competition attacks far beyond this case. 69 submissions (5 withdrawn), 2016 Cramer–Ducas–Wesolowski: including 20 lattice-based enc. Ideal-SVP attack for approx factor Most lattice-based enc systems 2 N 1 = 2+ o (1) in deg- N cyclotomics, use power-of-2 cyclotomics. under plausible assumptions Some non-power-of-2 cyclotomics: about class-group generators etc. LIMA has Φ 1019 option, “more Start from Biasse–Song, use conservative choice of field”; more features of cyclotomic fields. NTRU-HRSS-KEM uses Φ 701 ; Can techniques be pushed NTRUEncrypt uses Φ 743 etc. to smaller approx factors? Can cyclotomic attacks on Gentry Can techniques be adapted be extended to these systems? to break, e.g., Ring-LWE?

  43. 10 11 Actually, the idea produces NIST post-quantum competition Some syste attacks far beyond this case. 69 submissions (5 withdrawn), FrodoKEM-640, Cramer–Ducas–Wesolowski: including 20 lattice-based enc. relies on Ideal-SVP attack for approx factor commutative Most lattice-based enc systems (1) in deg- N cyclotomics, the potential use power-of-2 cyclotomics. plausible assumptions due to the Some non-power-of-2 cyclotomics: class-group generators etc. LIMA has Φ 1019 option, “more from Biasse–Song, use conservative choice of field”; features of cyclotomic fields. NTRU-HRSS-KEM uses Φ 701 ; techniques be pushed NTRUEncrypt uses Φ 743 etc. smaller approx factors? Can cyclotomic attacks on Gentry techniques be adapted be extended to these systems? reak, e.g., Ring-LWE?

  44. 10 11 idea produces NIST post-quantum competition Some systems avoid ond this case. 69 submissions (5 withdrawn), FrodoKEM-640, 9616-b Cramer–Ducas–Wesolowski: including 20 lattice-based enc. relies on matrix rings; attack for approx factor commutative rings Most lattice-based enc systems deg- N cyclotomics, the potential for w use power-of-2 cyclotomics. assumptions due to the extra structure”. Some non-power-of-2 cyclotomics: class-group generators etc. LIMA has Φ 1019 option, “more Biasse–Song, use conservative choice of field”; cyclotomic fields. NTRU-HRSS-KEM uses Φ 701 ; be pushed NTRUEncrypt uses Φ 743 etc. x factors? Can cyclotomic attacks on Gentry be adapted be extended to these systems? Ring-LWE?

  45. 10 11 duces NIST post-quantum competition Some systems avoid cyclotomics. case. 69 submissions (5 withdrawn), FrodoKEM-640, 9616-byte k esolowski: including 20 lattice-based enc. relies on matrix rings; says that x factor commutative rings “have Most lattice-based enc systems cyclotomics, the potential for weaknesses use power-of-2 cyclotomics. tions due to the extra structure”. Some non-power-of-2 cyclotomics: generators etc. LIMA has Φ 1019 option, “more use conservative choice of field”; cyclotomic fields. NTRU-HRSS-KEM uses Φ 701 ; NTRUEncrypt uses Φ 743 etc. Can cyclotomic attacks on Gentry adapted be extended to these systems?

  46. 11 12 NIST post-quantum competition Some systems avoid cyclotomics. 69 submissions (5 withdrawn), FrodoKEM-640, 9616-byte key: including 20 lattice-based enc. relies on matrix rings; says that commutative rings “have Most lattice-based enc systems the potential for weaknesses use power-of-2 cyclotomics. due to the extra structure”. Some non-power-of-2 cyclotomics: LIMA has Φ 1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ 701 ; NTRUEncrypt uses Φ 743 etc. Can cyclotomic attacks on Gentry be extended to these systems?

  47. 11 12 NIST post-quantum competition Some systems avoid cyclotomics. 69 submissions (5 withdrawn), FrodoKEM-640, 9616-byte key: including 20 lattice-based enc. relies on matrix rings; says that commutative rings “have Most lattice-based enc systems the potential for weaknesses use power-of-2 cyclotomics. due to the extra structure”. Some non-power-of-2 cyclotomics: LIMA has Φ 1019 option, “more Titanium-lite, 14720-byte key: conservative choice of field”; uses “middle product” to NTRU-HRSS-KEM uses Φ 701 ; “hedge against the weakness NTRUEncrypt uses Φ 743 etc. of specific polynomial rings”. Can cyclotomic attacks on Gentry be extended to these systems?

  48. 11 12 NIST post-quantum competition Some systems avoid cyclotomics. 69 submissions (5 withdrawn), FrodoKEM-640, 9616-byte key: including 20 lattice-based enc. relies on matrix rings; says that commutative rings “have Most lattice-based enc systems the potential for weaknesses use power-of-2 cyclotomics. due to the extra structure”. Some non-power-of-2 cyclotomics: LIMA has Φ 1019 option, “more Titanium-lite, 14720-byte key: conservative choice of field”; uses “middle product” to NTRU-HRSS-KEM uses Φ 701 ; “hedge against the weakness NTRUEncrypt uses Φ 743 etc. of specific polynomial rings”. Can cyclotomic attacks on Gentry Streamlined NTRU Prime 4591 761 , 1218-byte key: be extended to these systems? see Tanja’s talk later today.

  49. 11 12 post-quantum competition Some systems avoid cyclotomics. Two theo submissions (5 withdrawn), FrodoKEM-640, 9616-byte key: Theory 1: including 20 lattice-based enc. relies on matrix rings; says that are choices commutative rings “have “attack against lattice-based enc systems the potential for weaknesses ⇒ attack wer-of-2 cyclotomics. due to the extra structure”. where L F non-power-of-2 cyclotomics: has Φ 1019 option, “more Titanium-lite, 14720-byte key: conservative choice of field”; uses “middle product” to NTRU-HRSS-KEM uses Φ 701 ; “hedge against the weakness NTRUEncrypt uses Φ 743 etc. of specific polynomial rings”. cyclotomic attacks on Gentry Streamlined NTRU Prime 4591 761 , 1218-byte key: extended to these systems? see Tanja’s talk later today.

  50. 11 12 ost-quantum competition Some systems avoid cyclotomics. Two theories of lattice (5 withdrawn), FrodoKEM-640, 9616-byte key: Theory 1: Best choices ice-based enc. relies on matrix rings; says that are choices where commutative rings “have “attack against cryptosystem lattice-based enc systems the potential for weaknesses ⇒ attack against p cyclotomics. due to the extra structure”. where L F is a “lat er-of-2 cyclotomics: option, “more Titanium-lite, 14720-byte key: choice of field”; uses “middle product” to NTRU-HRSS-KEM uses Φ 701 ; “hedge against the weakness uses Φ 743 etc. of specific polynomial rings”. attacks on Gentry Streamlined NTRU Prime 4591 761 , 1218-byte key: these systems? see Tanja’s talk later today.

  51. 11 12 etition Some systems avoid cyclotomics. Two theories of lattice safety wn), FrodoKEM-640, 9616-byte key: Theory 1: Best choices of field enc. relies on matrix rings; says that are choices where we know p commutative rings “have “attack against cryptosystem systems the potential for weaknesses ⇒ attack against problem L cyclotomics. due to the extra structure”. where L F is a “lattice problem”. cyclotomics: “more Titanium-lite, 14720-byte key: field”; uses “middle product” to 701 ; “hedge against the weakness etc. of specific polynomial rings”. Gentry Streamlined NTRU Prime 4591 761 , 1218-byte key: systems? see Tanja’s talk later today.

  52. 12 13 Some systems avoid cyclotomics. Two theories of lattice safety FrodoKEM-640, 9616-byte key: Theory 1: Best choices of field F relies on matrix rings; says that are choices where we know proofs commutative rings “have “attack against cryptosystem C F the potential for weaknesses ⇒ attack against problem L F ”, due to the extra structure”. where L F is a “lattice problem”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness of specific polynomial rings”. Streamlined NTRU Prime 4591 761 , 1218-byte key: see Tanja’s talk later today.

  53. 12 13 Some systems avoid cyclotomics. Two theories of lattice safety FrodoKEM-640, 9616-byte key: Theory 1: Best choices of field F relies on matrix rings; says that are choices where we know proofs commutative rings “have “attack against cryptosystem C F the potential for weaknesses ⇒ attack against problem L F ”, due to the extra structure”. where L F is a “lattice problem”. Titanium-lite, 14720-byte key: Intuitive flaw in theory 1: Maybe uses “middle product” to these choices make L F weak! “hedge against the weakness of specific polynomial rings”. Streamlined NTRU Prime 4591 761 , 1218-byte key: see Tanja’s talk later today.

  54. 12 13 Some systems avoid cyclotomics. Two theories of lattice safety FrodoKEM-640, 9616-byte key: Theory 1: Best choices of field F relies on matrix rings; says that are choices where we know proofs commutative rings “have “attack against cryptosystem C F the potential for weaknesses ⇒ attack against problem L F ”, due to the extra structure”. where L F is a “lattice problem”. Titanium-lite, 14720-byte key: Intuitive flaw in theory 1: Maybe uses “middle product” to these choices make L F weak! “hedge against the weakness Theory 2: Safety of field F is of specific polynomial rings”. damaged by extra automorphisms, Streamlined NTRU Prime extra subfields, etc. Similar 4591 761 , 1218-byte key: situation to discrete-log crypto. see Tanja’s talk later today.

  55. 12 13 Some systems avoid cyclotomics. Two theories of lattice safety FrodoKEM-640, 9616-byte key: Theory 1: Best choices of field F relies on matrix rings; says that are choices where we know proofs commutative rings “have “attack against cryptosystem C F the potential for weaknesses ⇒ attack against problem L F ”, due to the extra structure”. where L F is a “lattice problem”. Titanium-lite, 14720-byte key: Intuitive flaw in theory 1: Maybe uses “middle product” to these choices make L F weak! “hedge against the weakness Theory 2: Safety of field F is of specific polynomial rings”. damaged by extra automorphisms, Streamlined NTRU Prime extra subfields, etc. Similar 4591 761 , 1218-byte key: situation to discrete-log crypto. see Tanja’s talk later today. What’s a good test case for F ?

  56. 12 13 systems avoid cyclotomics. Two theories of lattice safety Multiquadratic doKEM-640, 9616-byte key: Theory 1: Best choices of field F Assumptions: on matrix rings; says that are choices where we know proofs squarefree Q commutative rings “have “attack against cryptosystem C F j ∈ J d j otential for weaknesses ⇒ attack against problem L F ”, nonempt K = Q ( √ the extra structure”. where L F is a “lattice problem”. Titanium-lite, 14720-byte key: Intuitive flaw in theory 1: Maybe smallest “middle product” to these choices make L F weak! containing “hedge against the weakness Theory 2: Safety of field F is K is a degree-2 ecific polynomial rings”. Basis: Q damaged by extra automorphisms, Streamlined NTRU Prime extra subfields, etc. Similar subset J √ 761 , 1218-byte key: situation to discrete-log crypto. e.g. Q ( √ anja’s talk later today. What’s a good test case for F ? Q ⊕ Q

  57. 12 13 avoid cyclotomics. Two theories of lattice safety Multiquadratic fields 9616-byte key: Theory 1: Best choices of field F Assumptions: n ∈ rings; says that are choices where we know proofs squarefree d 1 ; : : : ; Q rings “have “attack against cryptosystem C F j ∈ J d j non-square weaknesses ⇒ attack against problem L F ”, nonempty subset J K = Q ( √ d 1 ; : : : ; √ structure”. where L F is a “lattice problem”. 14720-byte key: Intuitive flaw in theory 1: Maybe smallest subfield of containing √ d 1 ; : : duct” to these choices make L F weak! the weakness K is a degree-2 n numb Theory 2: Safety of field F is olynomial rings”. Basis: Q damaged by extra automorphisms, j ∈ J d j for NTRU Prime extra subfields, etc. Similar subset J ⊆ { 1 ; : : : ; √ √ yte key: situation to discrete-log crypto. e.g. Q ( 2 ; 3) = √ √ later today. What’s a good test case for F ? Q ⊕ Q 2 ⊕ Q 3

  58. 12 13 cyclotomics. Two theories of lattice safety Multiquadratic fields key: Theory 1: Best choices of field F Assumptions: n ∈ { 0 ; 1 ; 2 ; : : that are choices where we know proofs squarefree d 1 ; : : : ; d n ∈ Z ; Q “attack against cryptosystem C F j ∈ J d j non-square for each eaknesses ⇒ attack against problem L F ”, nonempty subset J ⊆ { 1 ; : : : K = Q ( √ d 1 ; : : : ; √ d n ): structure”. where L F is a “lattice problem”. key: Intuitive flaw in theory 1: Maybe smallest subfield of C containing √ d 1 ; : : : ; √ d n . these choices make L F weak! eakness K is a degree-2 n number field. Theory 2: Safety of field F is ings”. Basis: Q damaged by extra automorphisms, j ∈ J d j for each extra subfields, etc. Similar subset J ⊆ { 1 ; : : : ; n } . √ √ situation to discrete-log crypto. e.g. Q ( 2 ; 3) = √ √ √ y. What’s a good test case for F ? Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  59. 13 14 Two theories of lattice safety Multiquadratic fields Theory 1: Best choices of field F Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; are choices where we know proofs squarefree d 1 ; : : : ; d n ∈ Z ; Q “attack against cryptosystem C F j ∈ J d j non-square for each ⇒ attack against problem L F ”, nonempty subset J ⊆ { 1 ; : : : ; n } . K = Q ( √ d 1 ; : : : ; √ d n ): where L F is a “lattice problem”. Intuitive flaw in theory 1: Maybe smallest subfield of C containing √ d 1 ; : : : ; √ d n . these choices make L F weak! K is a degree-2 n number field. Theory 2: Safety of field F is Basis: Q damaged by extra automorphisms, j ∈ J d j for each extra subfields, etc. Similar subset J ⊆ { 1 ; : : : ; n } . √ √ situation to discrete-log crypto. e.g. Q ( 2 ; 3) = √ √ √ What’s a good test case for F ? Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  60. 13 14 theories of lattice safety Multiquadratic fields This field has 2 n automo ry 1: Best choices of field F Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; choices where we know proofs squarefree d 1 ; : : : ; d n ∈ Z ; e.g. automo Q “attack against cryptosystem C F j ∈ J d j non-square for each map a + √ attack against problem L F ”, nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 √ K = Q ( √ d 1 ; : : : ; √ d n ): L F is a “lattice problem”. a − b 2 √ a + b 2 √ Intuitive flaw in theory 1: Maybe smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 choices make L F weak! K is a degree-2 n number field. ry 2: Safety of field F is Basis: Q damaged by extra automorphisms, j ∈ J d j for each subfields, etc. Similar subset J ⊆ { 1 ; : : : ; n } . √ √ situation to discrete-log crypto. e.g. Q ( 2 ; 3) = √ √ √ What’s a good test case for F ? Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  61. 13 14 lattice safety Multiquadratic fields This field is Galois: has 2 n automorphisms. choices of field F Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; where we know proofs squarefree d 1 ; : : : ; d n ∈ Z ; e.g. automorphism √ √ Q cryptosystem C F j ∈ J d j non-square for each map a + b 2 + c √ √ against problem L F ”, nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + √ √ K = Q ( √ d 1 ; : : : ; √ d n ): “lattice problem”. a − b 2 + c 3 − √ √ a + b 2 − c 3 − √ √ theory 1: Maybe smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 − c 3 + make L F weak! K is a degree-2 n number field. y of field F is Basis: Q extra automorphisms, j ∈ J d j for each etc. Similar subset J ⊆ { 1 ; : : : ; n } . √ √ discrete-log crypto. e.g. Q ( 2 ; 3) = √ √ √ test case for F ? Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  62. 13 14 safety Multiquadratic fields This field is Galois: has 2 n automorphisms. field F Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; √ proofs squarefree d 1 ; : : : ; d n ∈ Z ; e.g. automorphisms of Q ( 2 √ √ √ Q cryptosystem C F j ∈ J d j non-square for each map a + b 2 + c 3 + d 6 √ √ √ L F ”, nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + d 6; √ √ √ K = Q ( √ d 1 ; : : : ; √ d n ): roblem”. a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ Maybe smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 − c 3 + d 6. eak! K is a degree-2 n number field. is Basis: Q rphisms, j ∈ J d j for each r subset J ⊆ { 1 ; : : : ; n } . √ √ crypto. e.g. Q ( 2 ; 3) = √ √ √ for F ? Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  63. 14 15 Multiquadratic fields This field is Galois: has 2 n automorphisms. Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; √ √ squarefree d 1 ; : : : ; d n ∈ Z ; e.g. automorphisms of Q ( 2 ; 3) √ √ √ Q j ∈ J d j non-square for each map a + b 2 + c 3 + d 6 to √ √ √ nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + d 6; √ √ √ K = Q ( √ d 1 ; : : : ; √ d n ): a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 − c 3 + d 6. K is a degree-2 n number field. Basis: Q j ∈ J d j for each subset J ⊆ { 1 ; : : : ; n } . √ √ e.g. Q ( 2 ; 3) = √ √ √ Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  64. 14 15 Multiquadratic fields This field is Galois: has 2 n automorphisms. Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; √ √ squarefree d 1 ; : : : ; d n ∈ Z ; e.g. automorphisms of Q ( 2 ; 3) √ √ √ Q j ∈ J d j non-square for each map a + b 2 + c 3 + d 6 to √ √ √ nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + d 6; √ √ √ K = Q ( √ d 1 ; : : : ; √ d n ): a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. K is a degree-2 n number field. √ √ Basis: Q j ∈ J d j for each e.g. subfields of Q ( 2 ; 3): √ √ subset J ⊆ { 1 ; : : : ; n } . Q ( 2 ; 3), √ √ √ √ √ Q ( 2), Q ( 3), Q ( 6), e.g. Q ( 2 ; 3) = √ √ √ Q . Q ⊕ Q 2 ⊕ Q 3 ⊕ Q 6.

  65. 14 15 Multiquadratic fields This field is Galois: Gentry fo has 2 n automorphisms. Assumptions: n ∈ { 0 ; 1 ; 2 ; : : : } ; Use optimizations √ √ refree d 1 ; : : : ; d n ∈ Z ; e.g. automorphisms of Q ( 2 ; 3) PKC 2010 √ √ √ j non-square for each map a + b 2 + c 3 + d 6 to Eurocrypt √ √ √ nonempty subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + d 6; √ √ √ ( √ d 1 ; : : : ; √ d n ): a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ smallest subfield of C containing √ d 1 ; : : : ; √ d n . a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. degree-2 n number field. √ √ Q j ∈ J d j for each e.g. subfields of Q ( 2 ; 3): √ √ J ⊆ { 1 ; : : : ; n } . Q ( 2 ; 3), √ √ √ √ √ Q ( 2), Q ( 3), Q ( 6), ( 2 ; 3) = √ √ √ Q . 2 ⊕ Q 3 ⊕ Q 6.

  66. 14 15 fields This field is Galois: Gentry for multiquadratics has 2 n automorphisms. ∈ { 0 ; 1 ; 2 ; : : : } ; Use optimizations √ √ : ; d n ∈ Z ; e.g. automorphisms of Q ( 2 ; 3) PKC 2010 Smart–V √ √ √ non-square for each map a + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ √ subset J ⊆ { 1 ; : : : ; n } . a + b 2 + c 3 + d 6; √ √ √ ; √ d n ): a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ of C : : : ; √ d n . a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. number field. √ √ for each e.g. subfields of Q ( 2 ; 3): √ √ : : ; n } . Q ( 2 ; 3), √ √ √ Q ( 2), Q ( 3), Q ( 6), = √ Q . 3 ⊕ Q 6.

  67. 14 15 This field is Galois: Gentry for multiquadratics has 2 n automorphisms. : : : } ; Use optimizations from √ √ e.g. automorphisms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ √ each map a + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ √ : : ; n } . a + b 2 + c 3 + d 6; √ √ √ a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. field. √ √ e.g. subfields of Q ( 2 ; 3): √ √ Q ( 2 ; 3), √ √ √ Q ( 2), Q ( 3), Q ( 6), Q . 6.

  68. 15 16 This field is Galois: Gentry for multiquadratics has 2 n automorphisms. Use optimizations from √ √ e.g. automorphisms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ √ map a + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ √ a + b 2 + c 3 + d 6; √ √ √ a − b 2 + c 3 − d 6; √ √ √ a + b 2 − c 3 − d 6; √ √ √ a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. √ √ e.g. subfields of Q ( 2 ; 3): √ √ Q ( 2 ; 3), √ √ √ Q ( 2), Q ( 3), Q ( 6), Q .

  69. 15 16 This field is Galois: Gentry for multiquadratics has 2 n automorphisms. Use optimizations from √ √ e.g. automorphisms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ √ map a + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ √ a + b 2 + c 3 + d 6; √ √ √ F : monic irreducible polynomial. a − b 2 + c 3 − d 6; √ √ √ Ring R = Z [ x ] =F ; not required a + b 2 − c 3 − d 6; √ √ √ to be ring of integers of Q [ x ] =F . a − b 2 − c 3 + d 6. About 2 n 2 = 4 subfields. √ √ e.g. subfields of Q ( 2 ; 3): √ √ Q ( 2 ; 3), √ √ √ Q ( 2), Q ( 3), Q ( 6), Q .

  70. 15 16 This field is Galois: Gentry for multiquadratics has 2 n automorphisms. Use optimizations from √ √ e.g. automorphisms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ √ map a + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ √ a + b 2 + c 3 + d 6; √ √ √ F : monic irreducible polynomial. a − b 2 + c 3 − d 6; √ √ √ Ring R = Z [ x ] =F ; not required a + b 2 − c 3 − d 6; √ √ √ to be ring of integers of Q [ x ] =F . a − b 2 − c 3 + d 6. Multiquadratics: take, e.g., About 2 n 2 = 4 subfields. √ √ F = ( x − 2 − 3) · √ √ √ √ e.g. subfields of Q ( 2 ; 3): ( x + 2 − 3) · √ √ √ √ Q ( 2 ; 3), ( x − 2 + 3) · √ √ √ √ √ Q ( 2), Q ( 3), Q ( 6), ( x + 2 + 3). √ √ √ √ Q . Note Q ( 2 + 3) = Q ( 2 ; 3).

  71. 15 16 field is Galois: Gentry for multiquadratics Smart–V automorphisms. Take sho Use optimizations from √ √ Compute automorphisms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ √ Start ove + b 2 + c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ √ 2 + c 3 + d 6; √ √ F : monic irreducible polynomial. 2 + c 3 − d 6; √ √ Ring R = Z [ x ] =F ; not required 2 − c 3 − d 6; √ √ to be ring of integers of Q [ x ] =F . 2 − c 3 + d 6. Multiquadratics: take, e.g., 2 n 2 = 4 subfields. √ √ F = ( x − 2 − 3) · √ √ √ √ subfields of Q ( 2 ; 3): ( x + 2 − 3) · √ √ √ ; 3), ( x − 2 + 3) · √ √ √ √ 2), Q ( 3), Q ( 6), ( x + 2 + 3). √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3).

  72. 15 16 Galois: Gentry for multiquadratics Smart–Vercauteren rphisms. Take short random Use optimizations from √ √ Compute q , absolute isms of Q ( 2 ; 3) PKC 2010 Smart–Vercauteren, √ √ Start over if q is not c 3 + d 6 to Eurocrypt 2011 Gentry–Halevi. √ + d 6; √ F : monic irreducible polynomial. − d 6; √ Ring R = Z [ x ] =F ; not required − d 6; √ to be ring of integers of Q [ x ] =F . + d 6. Multiquadratics: take, e.g., √ √ subfields. F = ( x − 2 − 3) · √ √ √ √ Q ( 2 ; 3): ( x + 2 − 3) · √ √ ( x − 2 + 3) · √ √ √ Q ( 6), ( x + 2 + 3). √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3).

  73. 15 16 Gentry for multiquadratics Smart–Vercauteren keygen: Take short random g ∈ R . Use optimizations from √ √ Compute q , absolute norm of 2 ; 3) PKC 2010 Smart–Vercauteren, √ Start over if q is not prime. 6 to Eurocrypt 2011 Gentry–Halevi. F : monic irreducible polynomial. Ring R = Z [ x ] =F ; not required to be ring of integers of Q [ x ] =F . Multiquadratics: take, e.g., √ √ F = ( x − 2 − 3) · √ √ 3): ( x + 2 − 3) · √ √ ( x − 2 + 3) · √ √ ( x + 2 + 3). √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3).

  74. 16 17 Gentry for multiquadratics Smart–Vercauteren keygen: Take short random g ∈ R . Use optimizations from Compute q , absolute norm of g . PKC 2010 Smart–Vercauteren, Start over if q is not prime. Eurocrypt 2011 Gentry–Halevi. F : monic irreducible polynomial. Ring R = Z [ x ] =F ; not required to be ring of integers of Q [ x ] =F . Multiquadratics: take, e.g., √ √ F = ( x − 2 − 3) · √ √ ( x + 2 − 3) · √ √ ( x − 2 + 3) · √ √ ( x + 2 + 3). √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3).

  75. 16 17 Gentry for multiquadratics Smart–Vercauteren keygen: Take short random g ∈ R . Use optimizations from Compute q , absolute norm of g . PKC 2010 Smart–Vercauteren, Start over if q is not prime. Eurocrypt 2011 Gentry–Halevi. Compute root r of g in Z =q . F : monic irreducible polynomial. Public key gR = qR + ( x − r ) R Ring R = Z [ x ] =F ; not required is represented as ( q; r ). to be ring of integers of Q [ x ] =F . Multiquadratics: take, e.g., √ √ F = ( x − 2 − 3) · √ √ ( x + 2 − 3) · √ √ ( x − 2 + 3) · √ √ ( x + 2 + 3). √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3).

  76. 16 17 Gentry for multiquadratics Smart–Vercauteren keygen: Take short random g ∈ R . Use optimizations from Compute q , absolute norm of g . PKC 2010 Smart–Vercauteren, Start over if q is not prime. Eurocrypt 2011 Gentry–Halevi. Compute root r of g in Z =q . F : monic irreducible polynomial. Public key gR = qR + ( x − r ) R Ring R = Z [ x ] =F ; not required is represented as ( q; r ). to be ring of integers of Q [ x ] =F . (We implemented multiquadratic Multiquadratics: take, e.g., √ √ adaptation of Gentry–Halevi F = ( x − 2 − 3) · √ √ cyclotomic keygen speedup: ( x + 2 − 3) · √ √ instead of requiring prime q , ( x − 2 + 3) · √ √ require gcd { b; q } > 1 for each ( x + 2 + 3). relative norm a + b √ d i of g . √ √ √ √ Note Q ( 2 + 3) = Q ( 2 ; 3). Any squarefree q will work.)

  77. 16 17 for multiquadratics Smart–Vercauteren keygen: Smart–V Take short random g ∈ R . Take sho optimizations from Compute q , absolute norm of g . Ciphertext 2010 Smart–Vercauteren, Start over if q is not prime. crypt 2011 Gentry–Halevi. Compute root r of g in Z =q . monic irreducible polynomial. Public key gR = qR + ( x − r ) R = Z [ x ] =F ; not required is represented as ( q; r ). ring of integers of Q [ x ] =F . (We implemented multiquadratic Multiquadratics: take, e.g., √ √ adaptation of Gentry–Halevi − 2 − 3) · √ √ cyclotomic keygen speedup: + 2 − 3) · √ √ instead of requiring prime q , − 2 + 3) · √ √ require gcd { b; q } > 1 for each + 2 + 3). relative norm a + b √ d i of g . √ √ √ √ Q ( 2 + 3) = Q ( 2 ; 3). Any squarefree q will work.)

  78. 16 17 multiquadratics Smart–Vercauteren keygen: Smart–Vercauteren Take short random g ∈ R . Take short m ∈ Z [ optimizations from Compute q , absolute norm of g . Ciphertext is m ( r ) rt–Vercauteren, Start over if q is not prime. Gentry–Halevi. Compute root r of g in Z =q . irreducible polynomial. Public key gR = qR + ( x − r ) R ; not required is represented as ( q; r ). integers of Q [ x ] =F . (We implemented multiquadratic take, e.g., √ adaptation of Gentry–Halevi 3) · √ cyclotomic keygen speedup: 3) · √ instead of requiring prime q , 3) · √ require gcd { b; q } > 1 for each 3). relative norm a + b √ d i of g . √ √ 3) = Q ( 2 ; 3). Any squarefree q will work.)

  79. 16 17 Smart–Vercauteren keygen: Smart–Vercauteren encryption: Take short random g ∈ R . Take short m ∈ Z [ x ] =F . Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . ercauteren, Start over if q is not prime. Gentry–Halevi. Compute root r of g in Z =q . olynomial. Public key gR = qR + ( x − r ) R required is represented as ( q; r ). [ x ] =F . (We implemented multiquadratic e.g., adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q , require gcd { b; q } > 1 for each relative norm a + b √ d i of g . √ 2 ; 3). Any squarefree q will work.)

  80. 17 18 Smart–Vercauteren keygen: Smart–Vercauteren encryption: Take short random g ∈ R . Take short m ∈ Z [ x ] =F . Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . Start over if q is not prime. Compute root r of g in Z =q . Public key gR = qR + ( x − r ) R is represented as ( q; r ). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q , require gcd { b; q } > 1 for each relative norm a + b √ d i of g . Any squarefree q will work.)

  81. 17 18 Smart–Vercauteren keygen: Smart–Vercauteren encryption: Take short random g ∈ R . Take short m ∈ Z [ x ] =F . Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . Start over if q is not prime. Homomorphic operations: Compute root r of g in Z =q . add/multiply ciphertexts m ( r ) Public key gR = qR + ( x − r ) R to add/multiply messages m . is represented as ( q; r ). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q , require gcd { b; q } > 1 for each relative norm a + b √ d i of g . Any squarefree q will work.)

  82. 17 18 Smart–Vercauteren keygen: Smart–Vercauteren encryption: Take short random g ∈ R . Take short m ∈ Z [ x ] =F . Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . Start over if q is not prime. Homomorphic operations: Compute root r of g in Z =q . add/multiply ciphertexts m ( r ) Public key gR = qR + ( x − r ) R to add/multiply messages m . is represented as ( q; r ). Decryption: (We implemented multiquadratic given c ∈ { 0 ; 1 ; : : : ; q − 1 } , adaptation of Gentry–Halevi compute c=g ∈ Q [ x ] =F , cyclotomic keygen speedup: round to element of Z [ x ] =F , instead of requiring prime q , multiply by g , subtract from c . require gcd { b; q } > 1 for each relative norm a + b √ d i of g . Any squarefree q will work.)

  83. 17 18 Smart–Vercauteren keygen: Smart–Vercauteren encryption: Take short random g ∈ R . Take short m ∈ Z [ x ] =F . Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . Start over if q is not prime. Homomorphic operations: Compute root r of g in Z =q . add/multiply ciphertexts m ( r ) Public key gR = qR + ( x − r ) R to add/multiply messages m . is represented as ( q; r ). Decryption: (We implemented multiquadratic given c ∈ { 0 ; 1 ; : : : ; q − 1 } , adaptation of Gentry–Halevi compute c=g ∈ Q [ x ] =F , cyclotomic keygen speedup: round to element of Z [ x ] =F , instead of requiring prime q , multiply by g , subtract from c . require gcd { b; q } > 1 for each Decryption works if relative norm a + b √ d i of g . each coefficient of m=g ∈ Q [ x ] =F Any squarefree q will work.) is in ( − 1 = 2 ; 1 = 2).

  84. 17 18 rt–Vercauteren keygen: Smart–Vercauteren encryption: Gentry sa short random g ∈ R . Take short m ∈ Z [ x ] =F . complexit Compute q , absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . algorithms over if q is not prime. in securit Homomorphic operations: Compute root r of g in Z =q . add/multiply ciphertexts m ( r ) Flaw in Sma key gR = qR + ( x − r ) R to add/multiply messages m . for some resented as ( q; r ). keygen time Decryption: in securit implemented multiquadratic given c ∈ { 0 ; 1 ; : : : ; q − 1 } , adaptation of Gentry–Halevi compute c=g ∈ Q [ x ] =F , cyclotomic keygen speedup: round to element of Z [ x ] =F , of requiring prime q , multiply by g , subtract from c . gcd { b; q } > 1 for each Decryption works if relative norm a + b √ d i of g . each coefficient of m=g ∈ Q [ x ] =F squarefree q will work.) is in ( − 1 = 2 ; 1 = 2).

  85. 17 18 ercauteren keygen: Smart–Vercauteren encryption: Gentry says “computational random g ∈ R . Take short m ∈ Z [ x ] =F . complexity of all of absolute norm of g . Ciphertext is m ( r ) ∈ Z =q . algorithms must be not prime. in security parameter”. Homomorphic operations: of g in Z =q . add/multiply ciphertexts m ( r ) Flaw in Smart–Vercauteren: qR + ( x − r ) R to add/multiply messages m . for some choices of ( q; r ). keygen time is not Decryption: in security parameter. implemented multiquadratic given c ∈ { 0 ; 1 ; : : : ; q − 1 } , Gentry–Halevi compute c=g ∈ Q [ x ] =F , eygen speedup: round to element of Z [ x ] =F , ing prime q , multiply by g , subtract from c . } > 1 for each Decryption works if b √ d i of g . each coefficient of m=g ∈ Q [ x ] =F will work.) is in ( − 1 = 2 ; 1 = 2).

  86. 17 18 eygen: Smart–Vercauteren encryption: Gentry says “computational . Take short m ∈ Z [ x ] =F . complexity of all of these of g . Ciphertext is m ( r ) ∈ Z =q . algorithms must be polynomial rime. in security parameter”. Homomorphic operations: =q . add/multiply ciphertexts m ( r ) Flaw in Smart–Vercauteren: − r ) R to add/multiply messages m . for some choices of F , keygen time is not polynomial Decryption: in security parameter. multiquadratic given c ∈ { 0 ; 1 ; : : : ; q − 1 } , Gentry–Halevi compute c=g ∈ Q [ x ] =F , eedup: round to element of Z [ x ] =F , q , multiply by g , subtract from c . each Decryption works if g . each coefficient of m=g ∈ Q [ x ] =F rk.) is in ( − 1 = 2 ; 1 = 2).

  87. 18 19 Smart–Vercauteren encryption: Gentry says “computational Take short m ∈ Z [ x ] =F . complexity of all of these Ciphertext is m ( r ) ∈ Z =q . algorithms must be polynomial in security parameter”. Homomorphic operations: add/multiply ciphertexts m ( r ) Flaw in Smart–Vercauteren: to add/multiply messages m . for some choices of F , keygen time is not polynomial Decryption: in security parameter. given c ∈ { 0 ; 1 ; : : : ; q − 1 } , compute c=g ∈ Q [ x ] =F , round to element of Z [ x ] =F , multiply by g , subtract from c . Decryption works if each coefficient of m=g ∈ Q [ x ] =F is in ( − 1 = 2 ; 1 = 2).

  88. 18 19 Smart–Vercauteren encryption: Gentry says “computational Take short m ∈ Z [ x ] =F . complexity of all of these Ciphertext is m ( r ) ∈ Z =q . algorithms must be polynomial in security parameter”. Homomorphic operations: add/multiply ciphertexts m ( r ) Flaw in Smart–Vercauteren: to add/multiply messages m . for some choices of F , keygen time is not polynomial Decryption: in security parameter. given c ∈ { 0 ; 1 ; : : : ; q − 1 } , compute c=g ∈ Q [ x ] =F , For multiquadratic F , keygen is round to element of Z [ x ] =F , disastrously slow: far too many multiply by g , subtract from c . tries to find prime q . (Adaptation of Gentry–Halevi speedup gives Decryption works if only a polynomial improvement.) each coefficient of m=g ∈ Q [ x ] =F is in ( − 1 = 2 ; 1 = 2).

Recommend

Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC

Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC

Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC 2020 Will Perkins (UIC) Algorithms and phase transitions When are phase transitions barriers to e ffi cient algorithms? What algorithmic

497 views • 30 slides
Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

6/11/12 Emergence of Creative Breakthroughs using 1 Author-ity database Sen Chai Harvard Business School UIUC Workshop on Disambiguation June 2012 Research Agenda 2 Breakthrough Commercialization Post-breakthrough

359 views • 13 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
Stoc ockhold olders Pres esentation ion Stoc tockh kholde lders s Who Warren Buffet

Stoc ockhold olders Pres esentation ion Stoc tockh kholde lders s Who Warren Buffet

Stoc ockhold olders Pres esentation ion Stoc tockh kholde lders s Who Warren Buffet Prese Presenta tatio ion What Where When Why How Stoc ockhold olders Pres esentation ion PURPOSE Demonstrate what has been learned

721 views • 30 slides
10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by what it looks like Genesis 41:39-40 Then Pharaoh said to Joseph, You shall be in charge of my palace, and all my people are to submit to your

427 views • 11 slides
Applications Monika Henzinger Efficient algorithms Topics : Algorithm analysis and

Applications Monika Henzinger Efficient algorithms Topics : Algorithm analysis and

Efficient Algorithms and Their Applications Monika Henzinger Efficient algorithms Topics : Algorithm analysis and complexity, data structures, combinatorial optimization, algorithmic game theory Main conferences : STOC, FOCS, SODA ,

612 views • 20 slides
for and against the Cloud Roger Wattenhofer ETH Zurich Distributed Computing Group

for and against the Cloud Roger Wattenhofer ETH Zurich Distributed Computing Group

Algorithms for and against the Cloud Roger Wattenhofer ETH Zurich Distributed Computing Group Disclaimer SenSys OSDI HotNets AAAI PODC Mobicom STOC FOCS SIGCOMM ICALP SPAA SODA EC Algorithms for the Cloud Algorithms for the

1.7k views • 146 slides
Sublinear Geometric Algorithms Sublinear Geometric Algorithms B. Chazelle, D. Liu, A. Magen B.

Sublinear Geometric Algorithms Sublinear Geometric Algorithms B. Chazelle, D. Liu, A. Magen B.

Sublinear Geometric Algorithms Sublinear Geometric Algorithms B. Chazelle, D. Liu, A. Magen B. Chazelle, D. Liu, A. Magen Princeton University / University of Princeton University / University of Toronto Toronto STOC 2003 STOC 2003 CS 468

778 views • 64 slides
Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim Walton Jim Walton ZZZZZZZZZZZZZZZZZZZZZZZZZ Hey! Someone, wake up Its a Workin Day Why Breakthrough Change? Structural Deficit The Growing

535 views • 51 slides
What were going to talk about Breakthrough (the brand) DaJie (the business)

What were going to talk about Breakthrough (the brand) DaJie (the business)

BREAKTHROUGH growing positive behaviours Rob Han Lina Bartuseviciute Liisa Yu Betty Tian Derrie Guan Tony Won What were going to talk about Breakthrough (the brand) DaJie (the business) Business model Action

860 views • 53 slides
E NCR YP T E D ME S S AGE S FR OM T HE HE IGHT S OF CR Y PT OMANIA Craig Gentry,

E NCR YP T E D ME S S AGE S FR OM T HE HE IGHT S OF CR Y PT OMANIA Craig Gentry,

E NCR YP T E D ME S S AGE S FR OM T HE HE IGHT S OF CR Y PT OMANIA Craig Gentry, IB M Joint work with Sanjam Garg, Shai Halevi, Amit Sahai, B rent Waters Supported by IAR PA contract number D11PC20202 T CC 2013 T okyo,

831 views • 54 slides
DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009

DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009

DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009 Page 1 Analysis of algorithms (DM507, DM508,. . . ) The standard model: Memory CPU Add : 1 unit of time Mult : 1 unit of time Branch :

322 views • 19 slides
Breakthrough A Sudden dramatic and important discover of development. A Aha moment.

Breakthrough A Sudden dramatic and important discover of development. A Aha moment.

Breakthrough A Sudden dramatic and important discover of development. A Aha moment. Breakthrough What bible stories of Breakthrough do you know? Name them! Break-in Break-down Break- In We need to allow God to break-in for our lives.

593 views • 16 slides
Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck & Company FDA/PQRI

Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck & Company FDA/PQRI

Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck & Company FDA/PQRI Conference October 2015 1 Topics Current state of Breakthrough Therapy Designation Mercks experience Closing thoughts 2 Drug Development

721 views • 20 slides
Recollections of Stanford CS 1969--1973 Ronald L. Rivest Bob Floyd Algorithms Programming;

Recollections of Stanford CS 1969--1973 Ronald L. Rivest Bob Floyd Algorithms Programming;

Recollections of Stanford CS 1969--1973 Ronald L. Rivest Bob Floyd Algorithms Programming; Algol W Advice 4 th STOC (1972) Donald E. Knuth Optimal binary search trees O-notation The Art of Computer Programming Bibliography on

246 views • 20 slides
10 B: Graph Algorithms IV CS1102S: Data Structures and Algorithms Martin Henz March 27, 2009

10 B: Graph Algorithms IV CS1102S: Data Structures and Algorithms Martin Henz March 27, 2009

Maximum Flow and Minimum Spanning Tree Problem Difficulty Another Puzzler 10 B: Graph Algorithms IV CS1102S: Data Structures and Algorithms Martin Henz March 27, 2009 Generated on Friday 26 th March, 2010, 10:59 CS1102S: Data Structures and

821 views • 63 slides
Na tiona l We ste rn Stoc k Show Ja nua ry 7-22, 2017 He alth Pr ofe ssions Inte r pr ofe

Na tiona l We ste rn Stoc k Show Ja nua ry 7-22, 2017 He alth Pr ofe ssions Inte r pr ofe

Na tiona l We ste rn Stoc k Show Ja nua ry 7-22, 2017 He alth Pr ofe ssions Inte r pr ofe ssional T r aining What do I ne e d to do? Re c ruit pa rtic ipa nts & he lp the m fe e l a t e a se Have mate r ials r e ady BMI: Blood

645 views • 43 slides
Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM

Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM

Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM Research and University Of Bristol. August 22, 2012 Craig Gentry, Shai Halevi, Nigel P . Smart Homomorphic Evaluation of the AES Circuit Slide 1

592 views • 30 slides
Str trat ateg egic ic Di Direc ecti tion on Tak akin ing g Stoc ock k & Lo &

Str trat ateg egic ic Di Direc ecti tion on Tak akin ing g Stoc ock k & Lo &

Student-Centered Schools, Future-Ready Students Northwest ISD Strategic Summit Str trat ateg egic ic Di Direc ecti tion on Tak akin ing g Stoc ock k & Lo & Look okin ing g For orwar ard March ch 2-3, 2018 Welc

672 views • 38 slides
Employee Relations L A W J O U R N A L Creating Workable Arbitration Agreements in the Post-

Employee Relations L A W J O U R N A L Creating Workable Arbitration Agreements in the Post-

VOL. 34, NO. 3 WINTER 2008 Employee Relations L A W J O U R N A L Creating Workable Arbitration Agreements in the Post- Gentry Era Harry I. Johnson and George S. Howard, Jr. The California Supreme Courts Gentry v. Superior Court

463 views • 13 slides
Hard-sphere MCMC algorithms, and Physics of two-dimensional melting and Perfect sampling

Hard-sphere MCMC algorithms, and Physics of two-dimensional melting and Perfect sampling

Hard-sphere MCMC algorithms, and Physics of two-dimensional melting and Perfect sampling Physics of algorithms, Santa Fe 2009 Werner Krauth CNRS-Laboratoire de Physique Statistique Ecole Normale Suprieure, Paris 3 September 2009 Table of

534 views • 26 slides
Breakthrough Stem Cell Therapies for SCI Dr. Kim

Breakthrough Stem Cell Therapies for SCI Dr. Kim

Breakthrough Stem Cell Therapies for SCI Dr. Kim Anderson-Erisman & Jennifer French October 23, 2014 Have a Question? www.NeurotechNetwork.org Helping

729 views • 23 slides
Efficient algorithms for ascertaining markers for controlling for population substructure Oscar Lao

Efficient algorithms for ascertaining markers for controlling for population substructure Oscar Lao

Efficient algorithms for ascertaining markers for controlling for population substructure Oscar Lao Department of Forensic Molecular Biology Erasmus Medical Center (Rotterdam) New Jersey 2009 4/27/2009 New Jersey 2009 1 Workflow 1. Human

777 views • 58 slides
Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring

Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring

Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring of integers in m-th cyclotomic field K n degree of K v element of R

494 views • 37 slides

More recommend