all along the ring tower
play

All Along the Ring Tower Algebraic Structures for Fun and Profit - PowerPoint PPT Presentation

Jul 17, 2023 •209 likes •635 views

All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/ {Lo Ducas} {Thomas Pornin} {Lo Ducas, Steven Galbraith, Yang Yu} RISC PROMETHEUS Seminar, 03/05/2019 Introducon I Three Case Studies

  1. All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/ {Léo Ducas} ∪ {Thomas Pornin} ∪ {Léo Ducas, Steven Galbraith, Yang Yu} RISC × PROMETHEUS Seminar, 03/05/2019

  2. Introduc�on I Three Case Studies II Generalized Bézout Equa�ons i Generalized Four Square Theorem ii iii Efficient La�ce Decoding III Conclusion 2 / 21

  3. Rings in La�ce-Based Cryptography It is typical in la�ce-based cryptography to use matrices with coefficients in Z q [ x ] / ( x d + 1 ) rather than Z q : Communica�on costs typically go O ( d 2 ) ⇒ O ( d ) 1 2 Computa�on costs typically go O ( d 2 ) ⇒ O ( d log d ) But in some situa�ons this addi�onal structure seems ineffec�ve: 1 Matrix decomposi�on (Cholesky, Gram-Schmidt, etc.) Solving equa�ons in a ring which is not a field (e.g. Z [ x ] / ( x d + 1 ) ) 2 Algorithms can take �me up to Θ ( d 2 ) or Θ ( d 3 ) . 3 / 21

  4. The State of Affairs What naïve solu�ons do: View Q [ x ] / ( x d + 1 ) as either a Q -linear space of dimension d , an 1 extension field of Q of degree d , etc. 2 This ignores the rich structure of cyclotomic rings and fields. What happens when we open the black box? 4 / 21

  5. Cyclotomic Fields - Opening the Black Box For d a power-of-two, we note: ➳ Q d = Q [ x ] / ( x d + 1 ) the d -th cyclotomic field ➳ Z d = Z [ x ] / ( x d + 1 ) the d -th cyclotomic ring We have this tower of fields: Q ⊊ Q 2 ⊊ · · · ⊆ Q d / 2 ⊊ Q d As well as this chain of isomorphisms: Q d ∼ = ( Q 2 ) d / 2 ∼ = ( Q d / 2 ) 2 ∼ = . . . ∼ = Q d At a high level: ➳ The field norm and field trace allows to move in the tower of fields ➳ Ring isomorphisms allow us to move in the chain of ring isomorphisms 5 / 21

  6. Traces and Norms in Cyclotomic Fields Defini�on: For a (finite) field extension L / K : ➳ The field trace is: ➳ The field norm is: Tr L / K : L → K N L / K : L → K ∑ ∏ f �→ σ ( f ) f �→ σ ( f ) σ ∈ Gal ( L / K ) σ ∈ Gal ( L / K ) Concretely: if f ( x ) = f e ( x 2 ) + x · f o ( x 2 ) ∈ Q d , then f × ( x ) = f ( − x ) and: ➳ Tr Q d / Q d / 2 ( f ) = f + f × ➳ N Q d / Q d / 2 ( f ) = f · f × = 2 · f e ( x 2 ) = f 2 e ( x 2 ) − x 2 f 2 o ( x 2 ) Composi�on proper�es: ➳ Tr L / K ◦ Tr M / L = Tr M / K ➳ N L / K ◦ N M / L = N M / K Homomorphic proper�es: ➳ Tr L / K ( a + b ) = Tr L / K ( a )+ Tr L / K ( b ) ➳ N L / K ( a · b ) = N L / K ( a ) · N L / K ( b ) 6 / 21

  7. Introduc�on I Three Case Studies II Generalized Bézout Equa�ons i Generalized Four Square Theorem ii iii Efficient La�ce Decoding III Conclusion 7 / 21

  8. g f However, some schemes require a full trapdoor B : G F Hash-then-sign [PFH 17], IBE [DLP14], HIBE [CG17] More generally, anything based on trapdoor sampling [GPV08] x d x d Problem: Given f g x 1 , find F G x 1 such that: f G g F q Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] 8 / 21

  9. x d x d Problem: Given f g x 1 , find F G x 1 such that: f G g F q Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] [ g ] − f However, some schemes require a full trapdoor B = : G − F ➳ Hash-then-sign [PFH + 17], IBE [DLP14], HIBE [CG17] ➳ More generally, anything based on trapdoor sampling [GPV08] 8 / 21

  10. Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] [ g ] − f However, some schemes require a full trapdoor B = : G − F ➳ Hash-then-sign [PFH + 17], IBE [DLP14], HIBE [CG17] ➳ More generally, anything based on trapdoor sampling [GPV08] Problem: Given f , g ∈ Z [ x ] / ( x d + 1 ) , find F , G ∈ Z [ x ] / ( x d + 1 ) such that: f · G − g · F = q 8 / 21

  11. Fun fact If we can solve the problem projected over Z d / 2 , i.e.: N Z d / Z d / 2 ( f ) · G ′ − N Z d / Z d / 2 ( g ) · F ′ = 1 for some F ′ , G ′ , then we have this rela�onship over Z d : f · ( f × G ′ ) − g · ( g × F ′ ) = 1 This leads to a simple algorithm: 1 Project 2 Solve 3 Li� 9 / 21

  12. F G F 1 G 1 N d 2 f N d 2 g d d F 2 G 2 N d 4 f N d 4 g d d . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ⊊ Z d / 2 ⊊ Z d / 4 ⊊ . . . ⊊ Z 10 / 21

  13. F G F 1 G 1 F 2 G 2 N d 4 f N d 4 g d d . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ⊊ Z d / 4 ⊊ . . . ⊊ Z 10 / 21

  14. F G F 1 G 1 F 2 G 2 . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ⊊ . . . ⊊ Z 10 / 21

  15. F G F 1 G 1 F 2 G 2 . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ⊊ Z 10 / 21

  16. F G F 1 G 1 F 2 G 2 . . . F G At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ↓ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) ∋ Z 10 / 21

  17. F G F 1 G 1 F 2 G 2 . . . At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ↓ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

  18. F G F 1 G 1 F 2 G 2 At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . . . . ↓ ↑ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

  19. F G F 1 G 1 At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ F [ 2 ] , G [ 2 ] N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ → ↓ ↑ ⊊ . . . . . . . . . . . . ↓ ↑ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

Recommend

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne Cabinet Presentation Fire Safety: UK Building Regulations Comparison Slough Borough Council England Scotland Wales Tower & Ashbourne

497 views • 23 slides
Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of

Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of

Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of the most complex parts in ATC service. A typical tower control consists of many particular procedures and steps . ACC Tower Tower Cruise TMA

543 views • 17 slides
PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

TOWER 4 TOWER 2 RESIDENTIAL RESIDENTIAL 120,000 sq. ft. 275,000 sq. ft. TOWER 1 TOWER 5 RESIDENTIAL RESIDENTIAL 165,000 sq. ft. 130,000 sq. ft. HOTEL 150,000 sq.ft PROJECT VISION The proposed redevelopment of Eau Claire Market is a

258 views • 10 slides
Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes

Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes

Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes Framework Articulates our ambition to improve health and social care outcomes and experience for Tower Hamlets citizens Is co-produced

251 views • 12 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333

PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333

PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333 Introduction Proposal Lateral System Redesign Elimination of Moment Frames Core-Only Solution Cost Analysis & Schedule Reduction

814 views • 43 slides
Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed?

Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed?

Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed? Maintain the current wireless infrastructure presently located within the community Voice (phone) Data (email, SMS) Internet service (web)

316 views • 12 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower Shuoxing Wu ETHZ 2 LAr pump tower function test self-recirculation to simulate outer LAr bath real operation condition h valves open pump

57 views • 5 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK

TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK

TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK TOWER - A SITE LAYOUT MAIN ENTRANCE 3 BHK UNIT PLAN 4 BHK UNIT PLAN FACTSHEET : Rs. 100/sft for Garden Facing Units in advance at the time of

98 views • 5 slides
Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west

Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west

Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west bank of Providence River, north of I-195, south of downtown. q A mixed-use project with residential, retail & parking to be built in a single phase.

528 views • 9 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms II. Universal localisations III. Recollements Throughout, A will denote a ring (with unit) and K a field. I. Ring epimorphisms Ring epimorphisms

418 views • 5 slides
1 1 The Tower in Genesis 11: The Tower in Genesis 11: built in direct opposition to God: built

1 1 The Tower in Genesis 11: The Tower in Genesis 11: built in direct opposition to God: built

X X 1 1 The Tower in Genesis 11: The Tower in Genesis 11: built in direct opposition to God: built in direct opposition to God: 1) The builders wanted a tower, the top of which could reach unto heaven (see Genesis 1:20). 2) The

778 views • 48 slides
Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res esona onator tors s Initial patterning and update by Agn iuiulkait Uppsala University Motivation Fabricate magneto-plasmonic

321 views • 28 slides
Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB Ring-HF 1 Elektrische Anlagen im AEB Ring HF BG1016 Sicherheitsbelehrung AEB Ring-HF 2 Elektr. Anlagen im BG1016 Netzgerte fr

290 views • 17 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

A clitellum is a band of thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released After eggs are fertilized in the ring, the ring slips off the worm's body and forms a protective cocoon.

218 views • 7 slides
Wireless Network Communications Prepared by FONTUR International Telecommunication Tower

Wireless Network Communications Prepared by FONTUR International Telecommunication Tower

Bell Mobility Wireless Network Communications Prepared by FONTUR International Telecommunication Tower Proposal: 10 Bur Oak Avenue, Markham March 19, 2018 Proposed Tower Location Application Start Date: December 10, 2014 Public

476 views • 11 slides
Complications of Wear or Corrosion of Chrome-Cobalt Hip Implants Stephen S. Tower, M.D.

Complications of Wear or Corrosion of Chrome-Cobalt Hip Implants Stephen S. Tower, M.D.

Complications of Wear or Corrosion of Chrome-Cobalt Hip Implants Stephen S. Tower, M.D. Affiliated Professor UAA/ WWAMI Tower Joint Replacement Clinic www.tjrclinic.com Disclosures Index Case of Arthroprosthetic Cobaltism 2006-2009 Author

534 views • 34 slides

More recommend