lattice cryptography for the internet chris peikert
play

Lattice Cryptography for the Internet Chris Peikert Georgia - PowerPoint PPT Presentation

Feb 01, 2024 •168 likes •873 views

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

  1. Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 12

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 12

  4. Lattice-Based Cryptography = ⇒ Amazing! ◮ Simple, efficient, and highly parallel crypto schemes ◮ Resists attacks by quantum algorithms (so far) ◮ Security from worst-case complexity assumptions ◮ Solves “holy grail” problems in crypto: FHE, obfuscation, . . . (Images courtesy xkcd.org) 2 / 12

  5. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) 3 / 12

  6. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) 3 / 12

  7. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption 3 / 12

  8. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption 3 / 12

  9. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption ◮ Fully homomorphic encryption 3 / 12

  10. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption ◮ Fully homomorphic encryption ◮ Functional encryption 3 / 12

  11. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption ◮ Fully homomorphic encryption ◮ Functional encryption ◮ General-purpose obfuscation ◮ · · · 3 / 12

  12. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption ◮ Fully homomorphic encryption ◮ Functional encryption ◮ General-purpose obfuscation ◮ · · · Meanwhile, in the Real World. . . 3 / 12

  13. A Decade of Lattice Crypto ◮ Trapdoor functions and CCA-secure encryption (w/o ROM) ◮ Signatures schemes (w/ and w/o ROM) ◮ (Hierarchical) identity-based encryption ◮ Attribute-based encryption ◮ Fully homomorphic encryption ◮ Functional encryption ◮ General-purpose obfuscation ◮ · · · Meanwhile, in the Real World. . . ◮ The vast majority of (public-key) crypto used in practice: signatures and key exchange/transport, over the Internet. 3 / 12

  14. This Work ◮ A first step towards Internet standards for lattice cryptography. 4 / 12

  15. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) 4 / 12

  16. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) 4 / 12

  17. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. 4 / 12

  18. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. ⋆ Bit-for-bit encryption, plus fixed-size ‘prelude’ 4 / 12

  19. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. ⋆ Bit-for-bit encryption, plus fixed-size ‘prelude’ ⋆ Improves prior ciphertext sizes by up to 2x, at essentially no cost (in security, runtime, key sizes, etc.) 4 / 12

  20. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. ⋆ Bit-for-bit encryption, plus fixed-size ‘prelude’ ⋆ Improves prior ciphertext sizes by up to 2x, at essentially no cost (in security, runtime, key sizes, etc.) ⋆ Applies to all (ring-)LWE-based encryption schemes 4 / 12

  21. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. ⋆ Bit-for-bit encryption, plus fixed-size ‘prelude’ ⋆ Improves prior ciphertext sizes by up to 2x, at essentially no cost (in security, runtime, key sizes, etc.) ⋆ Applies to all (ring-)LWE-based encryption schemes ◮ Not in this work: parameters, security estimates, implementation 4 / 12

  22. This Work ◮ A first step towards Internet standards for lattice cryptography. ⋆ AKE from any passively secure KEM (` a la IKEv2, RFC 5996) ⋆ New, efficient KEMs from ring-LWE (` a la RSA-KEM, RFC 5990) ◮ Technical contribution: a new ‘reconciliation’ mechanism yielding additive (not multiplicative) ciphertext overhead for lattice encryption. ⋆ Bit-for-bit encryption, plus fixed-size ‘prelude’ ⋆ Improves prior ciphertext sizes by up to 2x, at essentially no cost (in security, runtime, key sizes, etc.) ⋆ Applies to all (ring-)LWE-based encryption schemes ◮ Not in this work: parameters, security estimates, implementation ⋆ Follow-up [BCNS’14] : TLS/SSL suite (in C) using these components, with estimated > 128 bit security: practical! 4 / 12

  23. Authenticated Key Exchange k k ◮ Basic Goal: mutually authenticate parties and provide them a “consistent view” of completed session (including key k ). 5 / 12

  24. Authenticated Key Exchange k k ◮ Basic Goal: mutually authenticate parties and provide them a “consistent view” of completed session (including key k ). ◮ Adversary controls network, session initiation, may corrupt parties. 5 / 12

  25. Authenticated Key Exchange k k ◮ Basic Goal: mutually authenticate parties and provide them a “consistent view” of completed session (including key k ). ◮ Adversary controls network, session initiation, may corrupt parties. ◮ Many intricate models and definitions, offering strong guarantees. [BR’93,BR’95,Kra’96,BCK’98,Sho’99,CK’01-02,LMQ’03,Kra’05,. . . ] 5 / 12

  26. Authenticated Key Exchange ◮ We focus on “SK-security with post-specified peer” model [CK’02a] ⋆ Designed explicitly with Internet in mind ⋆ ‘Responder’ identity is discovered during protocol; can conceal identities 6 / 12

  27. Authenticated Key Exchange ◮ We focus on “SK-security with post-specified peer” model [CK’02a] ⋆ Designed explicitly with Internet in mind ⋆ ‘Responder’ identity is discovered during protocol; can conceal identities ◮ A version of Krawczyk’s “SIGn-and-MAc” (SIGMA) protocol [Kra’03] satisfies this security definition, assuming DDH 6 / 12

  28. Authenticated Key Exchange ◮ We focus on “SK-security with post-specified peer” model [CK’02a] ⋆ Designed explicitly with Internet in mind ⋆ ‘Responder’ identity is discovered during protocol; can conceal identities ◮ A version of Krawczyk’s “SIGn-and-MAc” (SIGMA) protocol [Kra’03] satisfies this security definition, assuming DDH ◮ Internet Key Exchange (RFC 5996) based on this model & protocol 6 / 12

  29. Authenticated Key Exchange ◮ We focus on “SK-security with post-specified peer” model [CK’02a] ⋆ Designed explicitly with Internet in mind ⋆ ‘Responder’ identity is discovered during protocol; can conceal identities ◮ A version of Krawczyk’s “SIGn-and-MAc” (SIGMA) protocol [Kra’03] satisfies this security definition, assuming DDH ◮ Internet Key Exchange (RFC 5996) based on this model & protocol Our Results ◮ We generalize SIGMA, replacing its underlying DH mechanism with any passively secure KEM. 6 / 12

Recommend

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =

1.01k views • 84 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

876 views • 71 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

1.27k views • 94 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

853 views • 82 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides

More recommend