an efficient and parallel gaussian sampler for lattices
play

An Efficient and Parallel Gaussian Sampler for Lattices Chris - PowerPoint PPT Presentation

Sep 20, 2022 •369 likes •975 views

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10 Lattice-Based Crypto L R n b 2 b 1 2 / 10 Lattice-Based Crypto L R n p 1 p 2 2 / 10 Lattice-Based Crypto L R n b 2 p 1 b 1 =

  1. An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10

  2. Lattice-Based Crypto L ⊂ R n b 2 b 1 2 / 10

  3. Lattice-Based Crypto L ⊂ R n p 1 p 2 2 / 10

  4. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 (Images courtesy xkcd.org) 2 / 10

  5. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable (Images courtesy xkcd.org) 2 / 10

  6. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable ✔ Worst-case assumptions (& quantum-resistant?) [Ajtai’96,. . . ] (Images courtesy xkcd.org) 2 / 10

  7. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable ✔ Worst-case assumptions (& quantum-resistant?) [Ajtai’96,. . . ] ✔ Many rich applications: ⋆ ‘Hash-and-sign’ signatures [GPV’08, CHKP’10, R’10, B’10] ⋆ (Hierarchical) IBE [GPV’08, CHKP’10, ABB’10a, ABB’10b] ⋆ Fully homomorphic encryption [G’09, SV’10, vDGHV’10] (Images courtesy xkcd.org) 2 / 10

  8. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] 3 / 10

  9. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] 3 / 10

  10. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK 3 / 10

  11. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK ◮ Worst-case / average-case reductions [GPV’08,P’09,LPR’10,G’10] 3 / 10

  12. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK ◮ Worst-case / average-case reductions [GPV’08,P’09,LPR’10,G’10] ◮ Narrower Gaussian ⇒ smaller keys ⇒ more efficient schemes 3 / 10

  13. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  14. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  15. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  16. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  17. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . 4 / 10

  18. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ 4 / 10

  19. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic 4 / 10

  20. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic ✗ Inherently sequential: n adaptive iterations 4 / 10

  21. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic ✗ Inherently sequential: n adaptive iterations ✗ No efficiency improvement for ring-based crypto [NTRU’98,M’02,. . . ] 4 / 10

  22. Our Contributions 1 A new Gaussian sampling algorithm for lattices. 5 / 10

  23. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer 5 / 10

  24. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! 5 / 10

  25. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors 5 / 10

  26. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors ⋆ High quality: for crypto lattices, same ∗ Gaussian width as GPV 5 / 10

  27. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors ⋆ High quality: for crypto lattices, same ∗ Gaussian width as GPV 2 A general ‘convolution theorem’ for discrete Gaussians. Other applications: LWE error distribution, bi-deniable encryption [OP’10] , . . . 5 / 10

  28. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) b 2 c b 1 6 / 10

  29. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) b 2 c b 1 6 / 10

  30. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . b 2 c b 1 6 / 10

  31. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 6 / 10

  32. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 6 / 10

  33. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 ◮ Non-spherical distribution: has covariance � x · x t � ≈ B · B t . Σ := Exp x 6 / 10

  34. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 ◮ Non-spherical distribution: has covariance � x · x t � ≈ B · B t . Σ := Exp x Covariance can be measured — and it leaks B ! (up to rotation) 6 / 10

  35. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) 7 / 10

  36. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 7 / 10

  37. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 2 Convolution of Gaussians: + = Σ = s 2 I Σ 1 + Σ 2 = 7 / 10

  38. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 2 Convolution of Gaussians: + = Σ = s 2 I Σ 1 + Σ 2 = 3 Given Σ 1 , how small can s be? For Σ 2 := s 2 I − Σ 1 , 7 / 10

Recommend

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2 Certification Jennifer Hill, PE Peter Nathanson, PE Daniel B. Stephens & Associates Independent Contractor 505.353.9106 peternathanson@kunm.org

2k views • 188 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling Preventing Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

984 views • 67 slides
PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care?

PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care?

PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care? Dr. Michael Buser USDA Agricultural Research Service Cotton Production and Processing Research Unit Lubbock, TX (806) 746-5353 x 104 Office

307 views • 11 slides
Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction

Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction

Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction D Danilo Silva Paulo R. B. da Silva Department of Electrical and Electronic Engineering Federal University of Santa Catarina (UFSC), Brazil

755 views • 63 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona State), Jingyu He (Chicago Booth), Hedibert Lopes (INSPER) November 21, 2018 1 Motivation Goal: run a Gaussian linear regression and a new prior

1.01k views • 52 slides
Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of

Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of

1896 1920 1987 2006 Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of Electronic Engineering Shanghai Jiao Tong University, China 2017, Autumn 1 Outline Gaussian Channel Parallel Gaussian

586 views • 19 slides
CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU)

CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU)

CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU) Same flavor as matrix * matrix, but more complicated Sparse A: Gaussian elimination Cholesky, LU, etc. Graph algorithms Sparse A:

589 views • 25 slides
Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research

Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research

Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research Center Vesa Hirvisalo, Helsinki University of Technology Mobile-phone view to parallel SW Parallel == efficient? Not always

283 views • 9 slides
R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems

R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems

R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems Helena Kotthaus, Andreas Lang Olaf Neugebauer, Peter Marwedel 03/07/2017 SFB 876 Parallel Machine Learning Algorithms Challenge: Regression Model

299 views • 15 slides
Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias

Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias

Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias Jung and Peter Stone Department of Computer Science University of Texas at Austin { tjung,pstone } @cs.utexas.edu Outline: 1. Motivation &

349 views • 18 slides
Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical

Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical

Journal of Machine Learning Research 9 (2008) 235-284 Submitted 9/06; Revised 9/07; Published 2/08 Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical Studies Andreas Krause KRAUSEA @ CS . CMU . EDU

657 views • 50 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method:

Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method:

Formulation of the . . . Need for Smoothing Need to Select an . . . We May Need Several . . . Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method: Resulting Requirement . . . A Possible Explanation

513 views • 17 slides
Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to

Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to

Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to pixels further from 16 the center of the window 1 2 1 This kernel is an approximation of a Gaussian function Gaussian filtering versus mean

405 views • 11 slides
Efficient Bayesian inference for Copula Gaussian graphical models A. Mohammadi, F. Abegaz and E.

Efficient Bayesian inference for Copula Gaussian graphical models A. Mohammadi, F. Abegaz and E.

Efficient Bayesian inference for Copula Gaussian graphical models A. Mohammadi, F. Abegaz and E. Wit University of Groningen, Netherlands a.mohammadi@rug.nl 29th International Workshop on Statistical Modelling Gottingen, Germmany July 17,

441 views • 19 slides
Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya De Rocco Servedio Cornell U Penn Columbia Halfspaces (aka LTFs) + + + -- + + + -- + -- + -- -- -- + + + -- + + -- -- +

421 views • 29 slides
The Gibbs Sampler CSE 527 Lecture 9 Lawrence, et al. Detecting Subtle Sequence

The Gibbs Sampler CSE 527 Lecture 9 Lawrence, et al. Detecting Subtle Sequence

The Gibbs Sampler CSE 527 Lecture 9 Lawrence, et al. Detecting Subtle Sequence Signals: A The Gibbs Sampler Gibbs Sampling Strategy for Multiple Sequence Alignment, Science 1993 The Double Helix Some DNA Binding Domains

62 views • 5 slides
CSE 527 Lecture 9 The Gibbs Sampler Talk Today Zasha Weinberg Combi HSB K-069, 1:30

CSE 527 Lecture 9 The Gibbs Sampler Talk Today Zasha Weinberg Combi HSB K-069, 1:30

CSE 527 Lecture 9 The Gibbs Sampler Talk Today Zasha Weinberg Combi HSB K-069, 1:30 Fast, accurate annotation of non-coding RNAs The Gibbs Sampler Lawrence et al. Detecting Subtle Sequence Signals: A Gibbs Sampling

972 views • 18 slides
Solutions for Efficient Memory Access for Cubic Lattices and Random Number Algorithms GTC 2015

Solutions for Efficient Memory Access for Cubic Lattices and Random Number Algorithms GTC 2015

Solutions for Efficient Memory Access for Cubic Lattices and Random Number Algorithms GTC 2015 Speaker: Dr. Matteo Lulli Prof. M. Bernaschi and Prof. G. Parisi March the 19th, 2015 Matteo Lulli - arXiv: 1114.0127 - lullimat.org Solutions for

925 views • 88 slides
Non-Gaussian likelihoods for Gaussian Processes Alan Saul Outline Motivation Non-Gaussian

Non-Gaussian likelihoods for Gaussian Processes Alan Saul Outline Motivation Non-Gaussian

Non-Gaussian likelihoods for Gaussian Processes Alan Saul Outline Motivation Non-Gaussian posteriors Approximate methods Laplace approximation Variational bayes Expectation propagation Comparisons GP regression - recap so far Model the

1.41k views • 113 slides
2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

1 The Value of Good Sampling 2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate bias / random Detrimental effect to operations Effect on Mass Balancing (example) Combined OSA and Sampler

634 views • 26 slides
Parallel Linear Algebra Our goals: Fast and efficient parallel algorithms for the matrix-vector

Parallel Linear Algebra Our goals: Fast and efficient parallel algorithms for the matrix-vector

Parallel Linear Algebra Our goals: Fast and efficient parallel algorithms for the matrix-vector product, the matrix-matrix product, solving systems of linear equations, applying finite difference systems, and computing the fast Fourier

700 views • 35 slides

More recommend