lattice cryptography introduction and open problems
play

Lattice Cryptography: Introduction and Open Problems Daniele - PowerPoint PPT Presentation

Jul 21, 2023 •285 likes •1.21k views

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open

  1. Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 1 / 32

  2. Point Lattices The simplest example of lattice is Z n = { ( x 1 , . . . , x n ): x i ∈ Z } Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32

  3. Point Lattices The simplest example of lattice is Z n = { ( x 1 , . . . , x n ): x i ∈ Z } Other lattices are obtained by applying a linear transformation B : x = ( x 1 , . . . , x n ) �→ Bx = x 1 · b 1 + · · · + x n · b n (0 , 1) b 2 B b 1 (1 , 0) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32

  4. Lattice Cryptography cryptanalysis crypto design today 1982 1996 Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper “Factoring Polynomials with Rational Coefficients” Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32

  5. Lattice Cryptography cryptanalysis crypto design today 1982 1996 Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper “Factoring Polynomials with Rational Coefficients” Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Ajtai (1996) : “Generating Hard Instances of Lattice Problems” Marks the beginning of the modern use of lattices in the design of cryptographic functions Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32

  6. Ajtai’s paper (quotes) “cryptography . . . generation of a specific instance of a problem in NP which is thought to be difficult”. “NP-hard problems” “very famous question (e.g., prime factorization).” “Unfortunately ‘difficult to solve’ means . . . in the worst case” “no guidance about how to create [a hard instance]” “possible solution” “find a set of randomly generated problems”, and 1 “show that if there is an algorithm which [works] with a positive 2 probability, then there is also an algorithm which solves the famous problem in the worst case.” “In this paper we give such a class of random problems.” Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 4 / 32

  7. Example: Discrete Logrithm (DLOG) p : a prime Z ∗ p : multiplicative group p : generator of (prime order sub-)group G = { g i : i ∈ Z } ⊆ Z ∗ g ∈ Z ∗ p Input: h = g i mod p DLOG Problem Given p , g , h , recover i (modulo q = o ( g )) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32

  8. Example: Discrete Logrithm (DLOG) p : a prime Z ∗ p : multiplicative group p : generator of (prime order sub-)group G = { g i : i ∈ Z } ⊆ Z ∗ g ∈ Z ∗ p Input: h = g i mod p DLOG Problem Given p , g , h , recover i (modulo q = o ( g )) Random Self Reducibility If you can solve DLOG for random g and h (with some probability), then you can solve it for any g , h in the worst-case. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32

  9. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  10. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  11. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  12. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  13. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib 5 Output j / b (mod q ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  14. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib 5 Output j / b (mod q ). Conclusion We know how to choose g , h ∈ G . But, how do we choose G ? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  15. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  16. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  17. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . This is not the same: For any n , there are (exponentially) many primes p . Typically, p is chosen at random among all n -bit primes Assumption is still average-case: DLOG is hard for random p . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  18. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . This is not the same: For any n , there are (exponentially) many primes p . Typically, p is chosen at random among all n -bit primes Assumption is still average-case: DLOG is hard for random p . We do not know how to reduce DLOG ( Z ∗ p ) to DLOG ( Z ∗ q ). RSR provides no guidance on how to choose p . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  19. DLOG vs Lattices (2) Alternative assumption DLOG( p n ) is hard when p n is the smallest prime > 2 n . Equivalent to worst-case family of problems (indexed by n ) Ad-hoc: problem definition seems rather arbitrary Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32

  20. DLOG vs Lattices (2) Alternative assumption DLOG( p n ) is hard when p n is the smallest prime > 2 n . Equivalent to worst-case family of problems (indexed by n ) Ad-hoc: problem definition seems rather arbitrary There is more: Lattice problems in dimension n reduce to lattice problems in dimension m > n : ⇒ B O B = O ∞ No such reduction for DLOG: ? DLOG ( p n ) = ⇒ DLOG ( p n +1 ) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32

  21. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

  22. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Question Assume one of DLOG ( Z p ) and DLOG ( Z p · q ) is polynomial time solvable, and one is not. Which group family would you choose? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

  23. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Question Assume one of DLOG ( Z p ) and DLOG ( Z p · q ) is polynomial time solvable, and one is not. Which group family would you choose? Chinese Reminder Theorem (CRT): Z pq ≈ Z p × Z q DLOG ( Z ∗ ⇒ DLOG ( Z ∗ p ) = pq ) . Reduction in the other direction requires factoring. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

Recommend

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp ASCrypto 2013 October 18, 2013 Agenda Introduction Definitions Dual Lattices q-ary Lattices Hard Problems Schemes Goldreich,

1.66k views • 119 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography This Talk Introduction

799 views • 32 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2

Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2

Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2 W*M 3 Cloud encoding: packing by coverings 4 Group coverings 5 Identification 6 Frequency allocation: covering by packings 7 Witness 8 Non malleable

542 views • 41 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &

1.91k views • 167 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS,

Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS,

Introduction The General Setting A menagerie of open problems Call to arms Some of my Favourite Open Problems in the Equational Logic of Processes Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University Open Problems in

713 views • 35 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Introduction The MQ Problem Polynomial Equivalence Problems Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de Versailles Saint-Quentin Versailles, France Sminaire CARAMEL 20 janvier 2012

721 views • 59 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides

More recommend