Babai’s Roundoff Algorithm Compute x ≡ t ( mod B ) B d ⊂ P B t d = min i ( b ⊥ i ) b ⊥ 1 (linear system) b 2 b 1 b ⊥ 2
Babai’s Nearest Plane Algorithm Compute x ≡ t ( mod ˜ B ) (iteratively) t B d ⊂ P ˜ B ˜ b 2 d = min i (˜ b i ) b 2 b 1
Babai’s Nearest Plane Algorithm t ˜ b 3 5 b 3 t ′ s ′ b 2 0 b 1 z 5 − 5 0 − 4 − 2 0 2 y 4 − 5 x
Babai’s Nearest Plane Algorithm 5 ˜ b 2 s ′ b 2 0 b 1 z 5 − 5 0 − 4 − 2 0 2 y 4 − 5 x
Part II - Crypto
Goldreich, Goldwasser and Halevi (GGH) No security proof Trapdoor: orthogonality Good base: V = ( v 1 , v 2 ) v 1 Bad base: B = ( b 1 , b 2 ) v 2 v Encrypt r : c = v + r ( mod B ) r c Decrypt: r = c − v b 2 b 1
Ajtai’s Construction f A ( x ) = Ax surjective ( 0 , 7 ) ( 7 , 7 ) small x ( 2 , 6 ) (SIS problem) ( 4 , 5 ) collision: x , x ′ short vector: ( x − x ′ ) ( 6 , 4 ) in Λ ⊥ ( 1 , 3 ) q worst to average ( 3 , 2 ) b 2 b 1 quantum reduction ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )
Learning With Errors Search problem: Given b i = � a i , s � + e i Find s Decision problem: Distinguish ( a i , b i ) from uniform Search to decision reduction
Learning With Errors g A ( x ) = Ax + e injective ( 0 , 7 ) ( 7 , 7 ) ( 2 , 6 ) ( 4 , 5 ) ( 6 , 4 ) ( 1 , 3 ) ( 3 , 2 ) b 2 b 1 ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )
Learning With Errors g A ( x ) = Ax + e injective ( 0 , 7 ) ( 7 , 7 ) ( 2 , 6 ) worst to average ( 4 , 5 ) quantum reduction ( 6 , 4 ) ( 1 , 3 ) ( 3 , 2 ) b 2 b 1 ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )
LWE Based Cryptosystem b = As + e Alice Bob s
LWE Based Cryptosystem b = As + e ( c 1 , c 2 ) = ( Ax , bx + mq / 2 ) Alice Bob s
LWE Based Cryptosystem b = As + e ( c 1 , c 2 ) = ( Ax , bx + mq / 2 ) Alice Bob s m . q / 2 = c 2 − c 1 s
Cyclotomic Rings Φ 2 n ( x ) = ( x 2 n − 1 + 1 ) if ζ 2 n ∈ Z q then ( 0 , 5 ) ( 5 , 5 ) Φ 2 n ≡ � 2 n ( x − ζ i 2 n ) i ∈ Z ∗ Ring: Z 5 [ x ] / ( x 2 + 1 ) ( 3 , 3 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) a ( x ) = 3 x + 3 ( 0 , 0 ) ( 5 , 0 )
Coefficient Representation Ring: Z 5 [ x ] / ( x 2 + 1 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) ( 0 , 5 ) ( 5 , 5 ) ≡ ( x − 3 )( x − 2 ) a ( x ) = 3 x + 3 ( 3 , 3 ) 2 ( 3 x + 3 ) ≡ x + 1 � T , � � � T 3 3 1 1 ( 1 , 1 ) ( 0 , 0 ) ( 5 , 0 )
Evaluation Representation Ring: Z 5 [ x ] / ( x 2 + 1 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) ( 0 , 5 ) ( 5 , 5 ) ( 3 , 4 ) a ( x ) = 3 x + 3 2 a ( x ) ≡ x + 1 a ( 2 ) ≡ 4 , a ( 3 ) ≡ 2 � T , ( 4 , 2 ) � � � T 4 2 3 4 FFT ( 0 , 0 ) ( 5 , 0 )
Cyclotomic Rings ( 3 , 4 ) ( 3 , 3 ) FFT FFT − 1 ( 4 , 2 ) ( 1 , 1 ) � 1 � 3 � 4 � 3 � 1 � � � � � � � 2 3 − 2 = = 1 3 3 2 − 1 1 4 1 � �� � � �� � Vandermond Vandermond inverse
Ring LWE g A ( x ) = Ax + e � 2 � 1 ( 0 , 5 ) ( 5 , 5 ) A = 1 3 ( 3 , 4 ) ideal: p ( x ) = x + 2 ( 1 , 3 ) xp ( x ) ( − 1 , 2 ) ( 4 , 2 ) b 2 ( 2 , 1 ) b 1 ( 0 , 0 ) ( 5 , 0 )
Ring LWE ◮ Better reductions, better parameters
Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n )
Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors
Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors ◮ Digital Signatures
Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors ◮ Digital Signatures ◮ Cryptomania: IBE, ABE, FE, FHE
NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) Alice Bob f , g
NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) c ≡ 2 ( Ax + e ) + m Alice Bob f , g
NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) c ≡ 2 ( Ax + e ) + m Alice Bob f , g cg ≡ 2 ( fx + eg ) + mg m ≡ ( cg ( mod 2 )) / g
Dual LWE u ≡ f A ( e ) Alice Bob e
Dual LWE u ≡ f A ( e ) c 1 = g A ( s , x ) Alice Bob e c 2 = u T s + e ′ + b . ⌊ q / 2 ⌋
Dual LWE u ≡ f A ( e ) c 1 = g A ( s , x ) Alice Bob e c 2 = u T s + e ′ + b . ⌊ q / 2 ⌋ b ≡ c 2 − e T c 1
Identity Based Encryption A with trapdoor s Setup PKG u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )
Identity Based Encryption A with trapdoor s Setup PKG s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )
Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )
Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A ) DualDec ( c 1 , c 2 )
Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A ) DualDec ( c 1 , c 2 )
Functional Encryption f ( x , y ) Setup PKG Alice Bob Carol Dave Eve Fred
Functional Encryption f ( x , y ) Setup PKG s y B s y A Alice Bob s y E s y F s y C s y D Carol Dave Eve Fred
Functional Encryption f ( x , y ) Setup PKG policy x Alice Bob c A = Enc x A ( m A ) Carol Dave Eve Fred
Functional Encryption f ( x , y ) Setup PKG policy x Alice Bob Dec y B ( c A ) c A = Enc x A ( m A ) Carol Dave Eve Fred Dec y C ( c A )
Attribute Based Encryption Setup PKG Alice Bob Carol Dave Eve Fred
Attribute Based Encryption Setup PKG s B s A Alice Bob s F s E s C s D Carol Dave Eve Fred
Recommend
More recommend