lattices that admit logarithmic worst case to average
play

Lattices that Admit Logarithmic Worst-Case to Average-Case - PowerPoint PPT Presentation

Nov 01, 2022 •266 likes •851 views

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

  1. Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS → IDC Herzliya STOC 2007 1 / 15

  2. Worst-case versus average-case complexity Lattices are an intriguing case study: ◮ Believed hard in the worst case ◮ Worst-case / average-case reductions 2 / 15

  3. Worst-case versus average-case complexity Lattices are an intriguing case study: ◮ Believed hard in the worst case ◮ Worst-case / average-case reductions This Talk. . . ◮ Not (exactly) about crypto ◮ Special, natural class of algebraic lattices ◮ Very tight worst-case/average-case reductions • Much tighter than known for general lattices ◮ Distinctions between decision and search ◮ Many open problems 2 / 15

  4. Lattices Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n b 1 � L = ( Z · b i ) i = 1 b 2 3 / 15

  5. Lattices Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n b 1 � L = ( Z · b i ) P i = 1 b 2 Fundamental region: Parallelepiped P spanned by b i s. 3 / 15

  6. Lattices Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n b 1 � L = ( Z · b i ) P i = 1 b 2 λ 1 Fundamental region: Parallelepiped P spanned by b i s. Minimum distance: λ 1 = length of shortest nonzero v ∈ L . 3 / 15

  7. Lattices Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n b 1 � L = ( Z · b i ) P i = 1 b 2 λ 1 Fundamental region: Parallelepiped P spanned by b i s. Minimum distance: λ 1 = length of shortest nonzero v ∈ L . Minkowski’s Theorem √ n · vol ( P ) 1 / n ≤ λ 1 (Non-constructive, non-algorithmic proof. . . ) 3 / 15

  8. Shortest Vector Problem (SVP) Approximation factor γ = γ ( n ) . Decision: Given basis, distinguish λ 1 ≤ 1 from λ 1 > γ . 4 / 15

  9. Shortest Vector Problem (SVP) Approximation factor γ = γ ( n ) . Decision: Given basis, distinguish λ 1 ≤ 1 from λ 1 > γ . Search: Given basis, find nonzero v ∈ L such that � v � ≤ γ · λ 1 . 4 / 15

  10. Shortest Vector Problem (SVP) Approximation factor γ = γ ( n ) . Decision: Given basis, distinguish λ 1 ≤ 1 from λ 1 > γ . Search: Given basis, find nonzero v ∈ L such that � v � ≤ γ · λ 1 . Hardness ◮ Almost-polynomial factors γ ( n ) [Ajt,Mic,Kho,HaRe] 4 / 15

  11. Shortest Vector Problem (SVP) Approximation factor γ = γ ( n ) . Decision: Given basis, distinguish λ 1 ≤ 1 from λ 1 > γ . Search: Given basis, find nonzero v ∈ L such that � v � ≤ γ · λ 1 . Hardness ◮ Almost-polynomial factors γ ( n ) [Ajt,Mic,Kho,HaRe] Algorithms for SVP γ ◮ γ ( n ) ∼ 2 n approximation in poly-time [LLL] ◮ Can trade-off running time/approximation [Sch,AKS] 4 / 15

  12. Worst-Case/Average-Case Connections [Ajtai,. . . ] For some γ ( n ) = poly ( n ) (“connection factor”): SVP γ hard in the worst case ⇓ problems hard on the average 5 / 15

  13. Worst-Case/Average-Case Connections [Ajtai,. . . ] For some γ ( n ) = poly ( n ) (“connection factor”): SVP γ hard in the worst case ⇓ problems hard on the average Cryptographic Applications ◮ One-way & collision-resistant functions [Ajtai,GGH,. . . ] ◮ Public-key encryption [AjtaiDwork,Regev] 5 / 15

  14. Worst-Case/Average-Case Connections [Ajtai,. . . ] For some γ ( n ) = poly ( n ) (“connection factor”): SVP γ hard in the worst case ⇓ problems hard on the average Cryptographic Applications ◮ One-way & collision-resistant functions [Ajtai,GGH,. . . ] ◮ Public-key encryption [AjtaiDwork,Regev] Optimizing the Connection Factor γ ◮ Interesting to characterize complexity ◮ Important for crypto due to time/accuracy tradeoff ◮ Current best γ ( n ) ∼ n [MicciancioRegev] 5 / 15

  15. This Work: Ideal Lattices ◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. 6 / 15

  16. This Work: Ideal Lattices ◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. 6 / 15

  17. This Work: Ideal Lattices ◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . . 6 / 15

  18. This Work: Ideal Lattices ◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . . ◮ Decision-SVP is easy to approximate: λ 1 ≈ Minkowski bound. Not NP-hard! 6 / 15

  19. This Work: Ideal Lattices ◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . . ◮ Decision-SVP is easy to approximate: λ 1 ≈ Minkowski bound. Not NP-hard! ◮ Search-SVP appears hard, despite structure. Best known algorithms [LLL,Sch,AKS] . 6 / 15

  20. Our Results Complexity of Ideal Lattices 1 Connection factors as low as γ = √ log n . • Based on search-SVP . (Decision is easy .) • For SVP in any ℓ p norm. (Stay for CCC.) Classic win-win situation. 2 Relations among problems on ideal lattices (SVP , CVP). 7 / 15

  21. Our Results Complexity of Ideal Lattices 1 Connection factors as low as γ = √ log n . • Based on search-SVP . (Decision is easy .) • For SVP in any ℓ p norm. (Stay for CCC.) Classic win-win situation. 2 Relations among problems on ideal lattices (SVP , CVP). Subtleties No efficient constructions of best number fields (yet). ⇒ Non-uniformity (preprocessing) in reductions. ⇒ Crypto is tricky. ⇒ Many interesting open problems! 7 / 15

  22. Other Special Classes of Lattices 1 “Unique” shortest vector: • One-way/CR functions [Ajtai,GGH] • Public-key encryption [AjtaiDwork,Regev] 8 / 15

  23. Other Special Classes of Lattices 1 “Unique” shortest vector: • One-way/CR functions [Ajtai,GGH] • Public-key encryption [AjtaiDwork,Regev] 2 Cyclic lattices: • Efficient & compact OWFs [Micciancio] • Collision-resistant hashing [PeikertRosen,LyubashevskyMicciancio] 8 / 15

  24. Other Special Classes of Lattices 1 “Unique” shortest vector: • One-way/CR functions [Ajtai,GGH] • Public-key encryption [AjtaiDwork,Regev] 2 Cyclic lattices: • Efficient & compact OWFs [Micciancio] • Collision-resistant hashing [PeikertRosen,LyubashevskyMicciancio] Structure used for functionality & efficiency. Connection factors γ ∼ n or more. 8 / 15

  25. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . 9 / 15

  26. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . Reduction i ∈ R n , derive uniform a i ’s 1 Sample offset vectors 2 Get short solution z ∈ Z m 3 Output ( � z i · i ) ∈ L 9 / 15

  27. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . Reduction i ∈ R n , derive uniform a i ’s 1 Sample offset vectors 2 Get short solution z ∈ Z m 3 Output ( � z i · i ) ∈ L 9 / 15

  28. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . Reduction i ∈ R n , derive uniform a i ’s 1 Sample offset vectors 2 Get short solution z ∈ Z m 3 Output ( � z i · i ) ∈ L 9 / 15

  29. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . Reduction i ∈ R n , derive uniform a i ’s 1 Sample offset vectors 2 Get short solution z ∈ Z m 3 Output ( � z i · i ) ∈ L 9 / 15

  30. Worst-to-Average Reduction [Ajtai,. . . ] Average-Case Problem For uniform a 1 , . . . , a m ← Z n mod q , find short nonzero z ∈ Z m : � z i a i = 0 mod q . Reduction i ∈ R n , derive uniform a i ’s 1 Sample offset vectors 2 Get short solution z ∈ Z m 3 Output ( � z i · i ) ∈ L Connection Factor ◮ Size of solution z ∈ Z m ◮ Lengths of offset vectors i 9 / 15

  31. Our Approach ◮ Replace “1-dim” integers Z with “ n -dim integers” O K . O K = ring of algebraic integers in number field K of degree n . 10 / 15

  32. Our Approach ◮ Replace “1-dim” integers Z with “ n -dim integers” O K . O K = ring of algebraic integers in number field K of degree n . • Has + and × , “absolute value” |·| , . . . 10 / 15

Recommend

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design & Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Hash Tables Tables so far set() get() delete() BST Average O(lg n) O(lg n) O(lg n) Worst

Hash Tables Tables so far set() get() delete() BST Average O(lg n) O(lg n) O(lg n) Worst

Hash Tables Tables so far set() get() delete() BST Average O(lg n) O(lg n) O(lg n) Worst O(n) O(n) O(n) RB Tree Average O(lg n) O(lg n) O(lg n) Worst O(lg n) O(lg n) O(lg n) Table nave array implementation Direct

1.19k views • 44 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research) Damien Scieur (Samsung SAIT AI Lab, Montral) International Conference on Machine Learning 2020 Complexity Analysis in Optimization Worst-case

271 views • 12 slides
Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if... SAT is hard in the worst case, BUT... generating hard random instances of SAT is hard? Lipton, 1993 worst-case versus average-case complexity 1.

481 views • 22 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

Worst-Case vs. Average Case CSE 473: Artificial Intelligence Expectimax, Uncertainty, Utilities max min 10 10 9 100 Dieter Fox [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

394 views • 8 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan

Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan

Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan Average height of BST Remove Warm up: Worst case time to perform find in a BST with n nodes: Worst case time to perform n inserts into an empty BST:

364 views • 15 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
Sorting... more 2 Announcements Homework posted, due next Sunday 3 Quicksort Runtime: Worst

Sorting... more 2 Announcements Homework posted, due next Sunday 3 Quicksort Runtime: Worst

1 Sorting... more 2 Announcements Homework posted, due next Sunday 3 Quicksort Runtime: Worst case? Always pick lowest/highest element, so O(n 2 ) Average? 4 Quicksort Runtime: Worst case? Always pick lowest/highest element, so O(n 2

734 views • 72 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B: Heapsort and Quicksort I sorts in place , is stable Kyriakos Kalorkoti mergeSort I worst-case running time: ( n lg ( n )) School of Informatics

334 views • 4 slides
Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre

Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre

The problem and its history Solution of the Problem Localisation and neighbourhood of worst case distributions Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre Csisz ar Thomas Breuer PPE

456 views • 21 slides
The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case: lg( n ) Tyler Moore Search time worst case: n Can you construct such a tree? CS 2123, The University of Tulsa Solution: height-balanced binary trees

212 views • 4 slides
Timely Justice Practice Guide Average Daily Population ADP = Admissions X Average Length of Stay

Timely Justice Practice Guide Average Daily Population ADP = Admissions X Average Length of Stay

Timely Justice Practice Guide Average Daily Population ADP = Admissions X Average Length of Stay 365 Baltimore Admissions by Length of Stay Shelby County, TN Compare the following: Average and median number of days from Admit to Final

402 views • 19 slides
Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running time of simple algorithms Best case Average case Worst case Profile algorithms

1.28k views • 82 slides

More recommend