ideal lattices and ring lwe overview and open problems
play

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris - PowerPoint PPT Presentation

Oct 14, 2022 •40 likes •810 views

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR10 V.

  1. Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16

  2. Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR’10 V. Lyubashevsky, C. Peikert, O. Regev. “On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10 and JACM’13. LPR’13 V. Lyubashevsky, C. Peikert, O. Regev. “A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13. 2 / 16

  3. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 3 / 16

  4. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 3 / 16

  5. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 3 / 16

  6. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 3 / 16

  7. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient) 3 / 16

  8. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient) 2010 Ring-LWE: efficient encryption, worst-case hardness () 3 / 16

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . 4 / 16

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � mod q q a 2 ← Z n , b 2 ≈ � a 2 , s � mod q q . . . 4 / 16

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q 4 / 16

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q 4 / 16

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) 4 / 16

  14. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard (. . . maybe even for quantum!) worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 4 / 16

  15. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard (. . . maybe even for quantum!) worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also a classical reduction for search-LWE [P’09,BLPRS’13] 4 / 16

  16. LWE is Versatile What kinds of crypto can we do with LWE? 5 / 16

  17. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] 5 / 16

  18. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] 5 / 16

  19. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . . 5 / 16

  20. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s    . . . 6 / 16

  21. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. 6 / 16

  22. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 6 / 16

  23. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n ◮ Can fix A for all users, but still ≥ n 2 work to encrypt & decrypt an n -bit message 6 / 16

  24. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . 7 / 16

  25. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? 7 / 16

  26. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! 7 / 16

Recommend

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December 10, 2014 Ph.D. advisor : Louis GOUBIN Introduction Gentrys IL scheme Other FHE schemes Open questions This talk Introduction Gentrys

718 views • 58 slides
Spectrum problems for structures arising from lattices and rings lattices and rings

Spectrum problems for structures arising from lattices and rings lattices and rings

Spectrum problems for structures arising from Spectrum problems for structures arising from lattices and rings lattices and rings Hochsters Theorem for commutative Friedrich Wehrung unital rings Stone duality for bounded

1.66k views • 125 slides
Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck

Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck

Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck Petit) Consider autonomous, identical, oblivious robots, in the Look-Compute-Move model. They have only local visibility, that is the snapshot allows

454 views • 4 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J.

A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J.

A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Sieving small integers 0 using primes 2 3 5 7: 1

646 views • 42 slides
Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Lattices Computational complexity Complexity of cyclic lattices Well-rounded cyclic lattices Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont McKenna College Undergraduate Summer Research Program

1.17k views • 65 slides
I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

O N THE R ESOLUTIONS OF ( SOME ) S IMPLICIAL F ORESTS S ARA F ARIDI D ALHOUSIE U NIVERSITY I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers i,j ( I ) ? Eliahou-Kervaire Splittings: When I = J + K

289 views • 25 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps Shuichi Katsumata (The University of Tokyo) Shota Yamada (AIST) ASIACRYPT Born in 1991 (Japan) Me Born in 1991 (Japan) Background

850 views • 62 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo

Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo

Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo dearaujorobsonricardo@gmail.com Prof. Dr. Antonio Aparecido de Andrade (orientador) andrade@ibilce.unesp.br SP Coding and Information School January

367 views • 5 slides
Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas

Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas

1 2 3 4 5 6 7 8 Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas idealization Marco Fontana Dipartimento di Matematica

1.67k views • 124 slides
For an (associative but not necessarily commutative) ring with identity A , there is a (not

For an (associative but not necessarily commutative) ring with identity A , there is a (not

B UCHBERGER T HEORY FOR E FFECTIVE A SSOCIATIVE R INGS T. M., Seven variations on standard bases , (1988) A solution if the ring is a vectorspace over a field A PEL J., Computational ideal theory in finitely generated extension rings , T.C.S. 224

815 views • 47 slides
Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito

Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito

Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito Postdoctoral Research Associate at University of Campinas - IMECC/UNICAMP Scholarship: CNPq Poster proposal: Construct ideal lattices on totally

152 views • 4 slides
Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of

Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of

Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of Computing and Information Technology University of Wollongong Andrea LESAVOUREY Multicubic fields 1 / 39 Outline Motivation 1 Cryptography

911 views • 69 slides
Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School

Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School

Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School on Matching Problems, Markets, and Mechanisms 24 June 2013, Budapest 1 Budapest University of Technology and Economics A competition problem Prove

1.7k views • 152 slides
Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The first IBE from lattices Our IBE from lattices Ring-LWE construction Implementation 1 Identity Based Encryption Private Key Generator ( mpk ,

621 views • 31 slides
On the Lattices of Effectively Open Sets Oleg Kudinov and Victor Selivanov CCC-Workshop,

On the Lattices of Effectively Open Sets Oleg Kudinov and Victor Selivanov CCC-Workshop,

On the Lattices of Effectively Open Sets Oleg Kudinov and Victor Selivanov CCC-Workshop, Kochel, September 2015 Oleg Kudinov and Victor Selivanov On the Lattices of Effectively Open Sets The lattice E of c.e. sets is a popular object of study

327 views • 7 slides
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short Generator of a Principal Ideal

418 views • 23 slides
Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS,

Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS,

Introduction The General Setting A menagerie of open problems Call to arms Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University Open Problems in

713 views • 35 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Standard lattices of compatibly embedded finite fields Luca De Feo, Hugues Randriam, douard

Standard lattices of compatibly embedded finite fields Luca De Feo, Hugues Randriam, douard

Context Overview Standard lattices Standard lattices of compatibly embedded finite fields Luca De Feo, Hugues Randriam, douard Rousseau JNCF 2019 1 / 22 Context Overview Standard lattices C ONTENTS Context Overview Standard lattices

382 views • 36 slides
Classifying Unification Problems in Preliminaries Algebraic Unifiers Distributive Lattices and

Classifying Unification Problems in Preliminaries Algebraic Unifiers Distributive Lattices and

Classifying Unification Problems in Distributive Lattices and Kleene Algebras L.M. Cabrer Classifying Unification Problems in Preliminaries Algebraic Unifiers Distributive Lattices and Kleene Algebras Unification types Unifiers through

866 views • 48 slides

More recommend