lattices from worst case to average case to cryptography
play

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris - PowerPoint PPT Presentation

Oct 11, 2023 •681 likes •1.43k views

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

  1. Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16

  2. Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case to average-case 3 Basic crypto applications 2 / 16

  3. Part 1: The Smoothing Parameter and Discrete Gaussians ◮ D. Micciancio, O. Regev (FOCS 2004) “Worst-Case to Average-Case Reductions Based on Gaussian Measures” ◮ C. Gentry, C. Peikert, V. Vaikuntanathan (STOC 2008) “Trapdoors for Hard Lattices and New Cryptographic Constructions” 3 / 16

  4. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  5. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  6. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  7. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  8. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) Definition: Smoothing Parameter smooth ( L ) = min s > 0 such that ρ ( s L ∗ \ { 0 } ) ≤ negl ( n ) 4 / 16

  9. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) Key Fact For s ≥ smooth ( L ) , every coset has equal ∗ mass: ρ s ( L + x ) ≈ ρ s ( L ) . 4 / 16

  10. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) 5 / 16

  11. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . s O 5 / 16

  12. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O 5 / 16

  13. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O 5 / 16

  14. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O By union bound, p := ρ ( s Z n \ { 0 } ) = ρ ( s Z n \ ) ≤ n · negl · ρ ( s Z n ) = negl · ( 1 + p ) . � 5 / 16

  15. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Dual L ∗ Primal L b 2 � b 2 � b 1 = b 1 6 / 16

  16. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � Dual L ∗ Primal L b 2 � b 2 � b 1 = b 1 6 / 16

  17. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � ◮ Dual basis: � b ∗ i , b j � = δ ij . (GSO in reverse.) Dual L ∗ Primal L � b ∗ 2 = b ∗ 2 b 2 � b 2 � b 1 = b 1 � b ∗ 1 b ∗ 1 6 / 16

  18. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � ◮ Dual basis: � b ∗ Fact: � � i � = 1 / � � b ∗ i , b j � = δ ij . (GSO in reverse.) b i � Dual L ∗ Primal L � b ∗ 2 = b ∗ 2 b 2 � b 2 � b 1 = b 1 � b ∗ 1 b ∗ 1 6 / 16

  19. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 7 / 16

  20. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 7 / 16

  21. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . 7 / 16

  22. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 7 / 16

  23. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 7 / 16

  24. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 3 Unpredictable: min-entropy ≥ n 7 / 16

  25. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 3 Unpredictable: min-entropy ≥ n 4 Many more . . . 7 / 16

  26. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B 8 / 16

  27. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  28. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  29. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  30. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  31. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 ◮ Proof: by smoothing, D L− c , s ( plane ) depends only on dist ( c , plane ) 8 / 16

Recommend

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design & Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research) Damien Scieur (Samsung SAIT AI Lab, Montral) International Conference on Machine Learning 2020 Complexity Analysis in Optimization Worst-case

271 views • 12 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if... SAT is hard in the worst case, BUT... generating hard random instances of SAT is hard? Lipton, 1993 worst-case versus average-case complexity 1.

481 views • 22 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

Worst-Case vs. Average Case CSE 473: Artificial Intelligence Expectimax, Uncertainty, Utilities max min 10 10 9 100 Dieter Fox [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

394 views • 8 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert Manuel Heusner University of Basel July 19th, 2018 Introduction Theoretical Results Experimental Results Conclusion Motivation A [Hart et

535 views • 22 slides
From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms Maria-Florina Balcan, PI Avrim Blum, Co-PI Tom M Mitchell, Co-PI Students Travis Dick Nika Haghtalab Hongyang Zhang Motivation Machine learning

443 views • 22 slides
Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B: Heapsort and Quicksort I sorts in place , is stable Kyriakos Kalorkoti mergeSort I worst-case running time: ( n lg ( n )) School of Informatics

334 views • 4 slides
Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running time of simple algorithms Best case Average case Worst case Profile algorithms

1.28k views • 82 slides
The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case: lg( n ) Tyler Moore Search time worst case: n Can you construct such a tree? CS 2123, The University of Tulsa Solution: height-balanced binary trees

212 views • 4 slides
Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement quicksort derive the average case runtime of quick sort and similar algorithms Q1-3 Q1 For any recurrence relation in in th the f form :

329 views • 18 slides
Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement quicksort derive the average case runtime of quick sort and similar algorithms Q1-3 Q1 For any recurrence relation in e form : in th the f

354 views • 19 slides

More recommend