how to use a short basis trapdoors for hard lattices and
play

How to Use a Short Basis: Trapdoors for Hard Lattices and New - PowerPoint PPT Presentation

May 27, 2023 •692 likes •1.48k views

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14

  1. How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14

  2. Digital Signatures 2 / 14

  3. Digital Signatures (public) (secret) 2 / 14

  4. Digital Signatures (public) “I love you” ✔ (secret) 2 / 14

  5. Digital Signatures (public) “It’s over” ✗ (secret) 2 / 14

  6. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 3 / 14

  7. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 f x y Dom Dom 3 / 14

  8. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom 3 / 14

  9. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 3 / 14

  10. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . 3 / 14

  11. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . ◮ All rely on hardness of factoring ✗ Complex: 2048 -bit exponentiation ✗ Lack of diversity ✗ Broken by quantum algorithms [Shor] 3 / 14

  12. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] 4 / 14

  13. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] 4 / 14

  14. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] What’s Missing ◮ Everything else! Practical signatures, protocols, “advanced” crypto, . . . 4 / 14

  15. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions 5 / 14

  16. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  17. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  18. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R 5 / 14

  19. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R 5 / 14

  20. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 5 / 14

  21. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 5 / 14

  22. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . 5 / 14

  23. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . New Algorithmic Tool ◮ “Oblivious decoder” on lattices 5 / 14

  24. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n b 2 � L = ( Z · b i ) i = 1 b 1 O 6 / 14

  25. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 6 / 14

  26. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. 6 / 14

  27. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: β n t � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. Absolute Distance Decoding (ADD β ) ◮ Given B and target t ∈ R n , find some v ∈ L within distance β . 6 / 14

  28. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] 7 / 14

  29. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP γ · n SVP γ as hard as every lattice random lattice 7 / 14

  30. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too 7 / 14

  31. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too Bottom Line ◮ On random lattices, SVP γ and ADD β seem exponentially hard 7 / 14

  32. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S s 2 b 1 s 1 b 2 8 / 14

  33. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  34. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  35. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  36. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  37. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  38. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  39. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  40. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] 8 / 14

  41. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 8 / 14

  42. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 2 Secret key leakage • Total break after several signatures [NguyenRegev] 8 / 14

  43. Gaussians and Lattices 9 / 14

  44. Gaussians and Lattices 9 / 14

  45. Gaussians and Lattices 9 / 14

  46. Gaussians and Lattices “Uniform” in R n when std dev ≥ shortest basis [Regev,MicciancioRegev] 9 / 14

  47. Our Trapdoor Function ◮ “Hard” public basis B , s 2 short secret basis S [Ajtai99,AP08] b 1 s 1 b 2 10 / 14

  48. Our Trapdoor Function ◮ “Hard” public basis B , short secret basis S [Ajtai99,AP08] ◮ Input v ∈ L , error e 10 / 14

Recommend

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n

1.48k views • 118 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of

Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of

Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of Mathematical Sciences, Chennai ) ! Deepak Dhar ( Tata Institute of Fundamental Research, Mumbai ) ! Jrgen Stilck ( Universidade Federal Fluminense,

1.02k views • 91 slides
Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The

Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The

Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The property owner may or may not be What is a STR? present during the stay Technology improvements have helped improve STRs popularity Airbnb

406 views • 23 slides
Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Overview The Result The Technique Example Conclusion Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/ Magma LIP CNRS/ENSL/U. Lyon/INRIA/UCBL ANTS-IX, July 2010 Overview The Result The

387 views • 19 slides
Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere packings. Lattices. B = ( B 1 , . . . , B n ) basis of Euclidean space ( R n , ( , )) . L = { n i =1 a i B i | a i Z } lattice.

250 views • 24 slides
What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting

What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting

What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting out of a furnished home, apartment or condominium for a short - term stay. The owner of the property usually will rent out on a weekly basis, but some

487 views • 20 slides
Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Recall Cycle-Free Codes and Lattices Lattices from Codes Codes from Lattices Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013

851 views • 55 slides
Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an additive subgroup R n such that Z n ( is free on n generators) b Z R R n ( spans the whole real vector space) # n +

246 views • 7 slides
Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao Wei IAS, December 5, 2017 Ian Mertz (U. of Toronto) Short Proofs are Hard to Find IAS, December 5, 2017 1 / 35 Introduction Proof complexity

1.13k views • 100 slides
Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao Wei ICALP, July 10, 2019 Ian Mertz (U. of Toronto) Short Proofs are Hard to Find ICALP, July 10, 2019 1 / 20 Introduction Proof complexity

915 views • 53 slides
Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007 September Ichiro Shimada (Hokkaido University, Sapporo, JAPAN) By a lattice, we mean a finitely generated free Z -module equipped with a

611 views • 31 slides
Independent Thinking and Hard Working, or Caring and Well Behaved? Short- and Long-Term Impacts

Independent Thinking and Hard Working, or Caring and Well Behaved? Short- and Long-Term Impacts

Independent Thinking and Hard Working, or Caring and Well Behaved? Short- and Long-Term Impacts of Gender-Identity Norms Nria Rodrguez-Planas City University of New York (CUNY), Queens College Anna Sanz-de-Galdeano University of Alicante

589 views • 36 slides
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set of linearly independent

1.33k views • 36 slides
Lattices from Octonion Algebras Octonion Algebras Lattices via Octonion Algebras Nelson G.

Lattices from Octonion Algebras Octonion Algebras Lattices via Octonion Algebras Nelson G.

Nelson, Cintya, Sueli Lattices Lattices from Octonion Algebras Octonion Algebras Lattices via Octonion Algebras Nelson G. Brasil Junior 1 Cintya W. O. Benedito 2 Examples Sueli I. R. Costa 1 1 Institute of Mathematics, Statistics and

650 views • 6 slides
Biblical Postcards Both 2 John and 3 John are so short that its hard to call them BOOKS of

Biblical Postcards Both 2 John and 3 John are so short that its hard to call them BOOKS of

8/23/2016 Biblical Postcards Both 2 John and 3 John are so short that its hard to call them BOOKS of the Bible . Since 2 John and 3 John are actually LETTERS with relatively few words, theyre more like POSTCARDS! The Sender &

362 views • 4 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices

Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices

Unification on Subvarieties of Pseudocomple- mented lattices L.M. Cabrer Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices Fragments of Heyting algebras P-Lattices Definition Duality

570 views • 33 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Lattices Computational complexity Complexity of cyclic lattices Well-rounded cyclic lattices Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont McKenna College Undergraduate Summer Research Program

1.17k views • 65 slides

More recommend