better algorithms for lwe and lwr
play

Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, - PowerPoint PPT Presentation

Dec 01, 2022 •204 likes •648 views

Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, Serge Vaudenay EPFL, Lausanne, Switzerland Eurocrypt 2015, Sofia Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 1 / 19 LWE Applications Many

  1. Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, Serge Vaudenay EPFL, Lausanne, Switzerland Eurocrypt 2015, Sofia Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 1 / 19

  2. LWE Applications Many crypto primitives are based on Learning With Errors Trapdoor functions + IBE [Gentry et al., 2008] Public-key and symmetric-key cryptosystems [Regev, 2009] , [Peikert, 2009] , [Applebaum et al., 2009] FHE [Brakerski and Vaikuntanathan, 2011] , [Brakerski, 2012] , [Gentry et al., 2013] Our Goal Better understand the hardness of LWE through an algorithmic analysis, in order to propose concrete security parameters for these schemes Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 2 / 19

  3. LWE Applications Many crypto primitives are based on Learning With Errors Trapdoor functions + IBE [Gentry et al., 2008] Public-key and symmetric-key cryptosystems [Regev, 2009] , [Peikert, 2009] , [Applebaum et al., 2009] FHE [Brakerski and Vaikuntanathan, 2011] , [Brakerski, 2012] , [Gentry et al., 2013] Our Goal Better understand the hardness of LWE through an algorithmic analysis, in order to propose concrete security parameters for these schemes Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 2 / 19

  4. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  5. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  6. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  7. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  8. LWE Definition Definition (LWE Oracle) Let k , q be positive integers. A Learning with Errors (LWE) oracle Π s , χ for a hidden vector s 2 Z k q and a probability distribution χ over Z q is an oracle returning 0 1 U A , � Z k q , h a , s i + ν @ a | {z } c where ν χ . Definition (Search-LWE) The Search-LWE problem is the problem of recovering the hidden secret s given n queries ( a ( j ) , c ( j ) ) 2 Z k q ⇥ Z q obtained from Π s , χ . Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 4 / 19

  9. LWE Definition Definition (LWE Oracle) Let k , q be positive integers. A Learning with Errors (LWE) oracle Π s , χ for a hidden vector s 2 Z k q and a probability distribution χ over Z q is an oracle returning 0 1 U A , � Z k q , h a , s i + ν @ a | {z } c where ν χ . Definition (Search-LWE) The Search-LWE problem is the problem of recovering the hidden secret s given n queries ( a ( j ) , c ( j ) ) 2 Z k q ⇥ Z q obtained from Π s , χ . Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 4 / 19

  10. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  11. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  12. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  13. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  14. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 [ 0 0 1 ] [ -2 0 1 ] [ -5 1 -1 ] 2 [ 0 0 -1 ] [ 3 3 -4 ] [ 0 4 2 ] 0 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 [ 0 0 -2 ] [ -1 1 -3 ] [ 5 5 1 ] 3 [ 0 0 -2 ] [ -2 5 -5 ] [ 1 3 -4 ] 2 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  15. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block, and combine [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 � + [ 0 0 1 ] [ -2 0 1 ] [ -5 1 -1 ] 2 [ 0 0 -1 ] [ 3 3 -4 ] [ 0 4 2 ] 0 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 + [ 0 0 -2 ] [ -1 1 -3 ] [ 5 5 1 ] 3 + [ 0 0 -2 ] [ -2 5 -5 ] [ 1 3 -4 ] 2 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  16. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block, and combine [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 � + [ 0 0 0 ] [ 4 -1 3 ] [ 3 -1 2 ] � 3 [ 0 0 0 ] [ 5 2 0 ] [ -2 4 3 ] � 1 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 + [ 0 0 0 ] [ -1 3 -3 ] [ 4 -2 -2 ] � 2 + [ 0 0 0 ] [ -2 -4 -5 ] [ 0 -4 4 ] � 3 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

Recommend

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For some optimization problems, dynamic programming algorithms are overkill A greedy algorithm always makes a choice that looks best at the moment

1.09k views • 65 slides
Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms Genetic Algorithms l Simulate natural evolution of structures via selection and reproduction, based on performance (fitness) l Type of

524 views • 30 slides
Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms?

Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms?

Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms? Mathematical graphs seem to be relatively specialized and abstract Why spend so much time and effort on algorithms for such an obscure area?

744 views • 47 slides
- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

algorithmic composition dForm + IM WS2010 Inst. f. Arch. a. Media packing algorithms packing algorithms packing algorithms p a c k i n g packing algorithms packing algorithms algorithms packing packing algorithm 1 algorithms - -

39 views • 3 slides
Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms

Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms

Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms Growth of Functions n Big- O and other Notation Complexity of Algorithms Algorithms Section 3.1 Section Summary Properties of Algorithms

847 views • 83 slides
Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander Souza Winter term 11/12 Greedy algorithms 1 1. Introductory remarks Introductory remarks 2. Basic examples: The coin-changing problem

504 views • 19 slides
Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of

Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of

Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of Randomized Algorithms and and Some Complexity Classes Some Complexity Classes Speaker: Chuang-Chieh Lin Advisor: Professor Maw-Shang Chang National

910 views • 52 slides
The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in

The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in

The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in Computing What is an Algorithm? Any well-defined computational procedure that takes some value (or set of values)its input and produces some

321 views • 13 slides
Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for

Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for

Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for solving specific, complex, real world problems: Google's success is largely due to its PageRank algorithm, which determines importance"

1.03k views • 46 slides
Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for

Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for

Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for certain problems where finding the exact global optimum is required. Genetic Algorithms are non-deterministic. However, there are theories about

271 views • 5 slides
Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper

Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper

Jesse Anderson CSCI 446, Artificial Intelligence Michelle Van Dyne 11-16-2016 Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper is to inform you, the reader, on Genetic Algorithms and give

564 views • 9 slides
Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest

Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest

Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest paths in graphs, CISC5835, Algorithms for Big Data minimum spanning trees in graphs, CIS, Fordham Univ. matchings in bipartite graphs,

514 views • 8 slides
Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph

Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph

Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph Matt Ruffalo zivbj@cs.cmu.edu mruffalo@andrew.cmu.edu GHC 7715 GHC 8006 Topics Introduction (1 Week) Classic algorithms (4 weeks)

1.68k views • 28 slides
Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline What is algorithm: word origin, first algorithms, algorithms of todays world Sequential algorithms, Parallel algorithms, approximation

828 views • 62 slides
Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline What is algorithm: word origin, first algorithms, algorithms of todays world Sequential algorithms, Parallel algorithms, approximation

332 views • 21 slides
Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion

Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion

Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion of algorithms, GCD example. Algorithmic problem solving. Problem types. Sorting example. Numerical example. Analyzing algorithms.

333 views • 12 slides
GENETIC ALGORITHMS By Joy Reistad Overview What are genetic algorithms? History

GENETIC ALGORITHMS By Joy Reistad Overview What are genetic algorithms? History

GENETIC ALGORITHMS By Joy Reistad Overview What are genetic algorithms? History Methodology Initialization Selection Crossover Mutation Examples What are genetic algorithms? Type of search used in artificial

670 views • 33 slides
Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1

Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1

Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1 Todays Lecture Dont give up on NP-Hard problems: (A) Faster exponential time algorithms: n O ( n ) , 3 n , 2 n , etc. (B) Fixed parameter

583 views • 13 slides
Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures

Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures

Course syllabus credits: 2 cu Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures (see Cormen et al., Introduction to Algorithms ) knowledge in programming (e.g., with Java) Jouni Smed

406 views • 5 slides
Visualisatie BMT Algorithms - 2 Arjan Kok a.j.f.kok@tue.nl 1 Lecture overview Vector

Visualisatie BMT Algorithms - 2 Arjan Kok a.j.f.kok@tue.nl 1 Lecture overview Vector

Visualisatie BMT Algorithms - 2 Arjan Kok a.j.f.kok@tue.nl 1 Lecture overview Vector algorithms Tensor algorithms Modeling algorithms 2 Vector algorithms Vector 2 or 3 dimensional representation of direction and

1.15k views • 45 slides
Analysis of Algorithms Amr Magdy Analyzing Algorithms Algorithm Correctness 1. Termination a.

Analysis of Algorithms Amr Magdy Analyzing Algorithms Algorithm Correctness 1. Termination a.

CS141: Intermediate Data Structures and Algorithms Analysis of Algorithms Amr Magdy Analyzing Algorithms Algorithm Correctness 1. Termination a. Produces the correct output for all possible input. b. Algorithm Performance 2. Either

1.02k views • 64 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

904 views • 20 slides
LP/SDP LP/SDP Algorithms Algorithms Claire Mathieu Brown University Many optimization

LP/SDP LP/SDP Algorithms Algorithms Claire Mathieu Brown University Many optimization

LP/SDP LP/SDP Algorithms Algorithms Claire Mathieu Brown University Many optimization problems can be written as integers programs Traveling salesman tour, vehicle routing Steiner tree, connecting Clustering, cuts Coloring

820 views • 68 slides
More Graph Algorithms Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1

More Graph Algorithms Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1

More Graph Algorithms Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Announcements Calendar on the webpage has updated office hours for this week. Last Time: Dijkstras Algorithm to find shortest paths. Today: Two more

509 views • 29 slides

More recommend