new and old proof systems for lattice problems
play

New (and Old) Proof Systems for Lattice Problems Navid Alamati - PowerPoint PPT Presentation

Aug 16, 2022 •273 likes •960 views

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

  1. New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13

  2. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . 2 / 13

  3. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . 2 / 13

  4. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. 2 / 13

  5. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. ◮ Honest-verifier SZK ≡ general SZK [GSV’98] . 2 / 13

  6. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. ◮ Honest-verifier SZK ≡ general SZK [GSV’98] . ◮ SZK proofs are powerful: secure against unbounded malicious P ∗ , V ∗ . 2 / 13

  7. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . 3 / 13

  8. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. 3 / 13

  9. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] 3 / 13

  10. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] ⋆ SZK is closed under complement [SV’97] , but NISZK is not known to be. 3 / 13

  11. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] ⋆ SZK is closed under complement [SV’97] , but NISZK is not known to be. ⋆ NISZK is closed under complement ⇐ ⇒ NISZK = SKZ [GSV’99] 3 / 13

  12. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) i =1 b 2 O 4 / 13

  13. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) x i =1 b 2 O ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . 4 / 13

  14. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) i =1 b 2 O λ 1 ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . ◮ Minimum distance: length of shortest nonzero lattice vector λ 1 ( L ) = min 0 � = v ∈L � v � . 4 / 13

  15. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n � L = ( Z · b i ) i =1 ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . ◮ Minimum distance: length of shortest nonzero lattice vector λ 1 ( L ) = min 0 � = v ∈L � v � . ◮ Covering radius: maximum distance from the lattice µ ( L ) = max x ∈ R n dist ( x , L ) . 4 / 13

  16. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  17. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  18. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  19. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  20. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] 5 / 13

  21. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] ◮ Constructions of cryptographic primitives [GPV’08,. . . ] 5 / 13

  22. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] ◮ Constructions of cryptographic primitives [GPV’08,. . . ] ◮ Algorithms for SVP and CVP [ADRS’15,ADS’15] 5 / 13

  23. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? 6 / 13

  24. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. 6 / 13

  25. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. 6 / 13

  26. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central 6 / 13

  27. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. 6 / 13

  28. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. ◮ GapSPP ∈ SZK ⊆ AM ∩ coAM [CDLP’13] , but classic problems ∈ NISZK, coNP [AR’04,PV’08] . 6 / 13

  29. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. ◮ GapSPP ∈ SZK ⊆ AM ∩ coAM [CDLP’13] , but classic problems ∈ NISZK, coNP [AR’04,PV’08] . Motivating Question Are there noninteractive proof systems for GapSPP? 6 / 13

  30. Our Results ◮ Noninteractive (NISZK/coNP) proof systems for GapSPP, improving prior ‘trivial’ factors by ≈ √ n . 7 / 13

Recommend

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X , July 18, 2014 1/32 Outline Introduction Proof Systems Proof Search Proof Formats Proof Production Proof Consumption Applications Conclusions

574 views • 36 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan Lattice QCD and Nuclei Nuclear theory predictions are needed to extract or constrain new physics from intensity frontier experiments Lattice QCD can

359 views • 20 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration

Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration

Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration with Supratik Mukhopadhyay, LSU Sumit Gulwani, Microsoft Research, Redmond Rupak Majumdar, Max Planck Institute for Software Systems AAAI 14

639 views • 35 slides
a ; 90 o c -face centered lattice, having the

a ; 90 o c -face centered lattice, having the

PH-409 (2015) Tutorial Sheet No. 2 * Problems shall be discussed in tutorial class 20*. A two dimensional lattice has basis vectors 2 ; 2 . Find the a i b i j basis vectors of the reciprocal lattice. 21. (a) Show

214 views • 5 slides
Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems

Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems

Motivation Preliminaries Problems Relation Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013 Lattice Coding I: From Theory To

709 views • 58 slides
Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco (joint work with P . Jipsen, F. Liang, A. Palmigiano) Prague, 28 June TACL 2017 Multi-type methodology Syntax meets semantics: the wider picture

461 views • 32 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik Leibniz-Universitt Hannover, Germany joint work with Johannes Kbler and Sebastian Mller Olaf Beyersdorff Proof Systems that Take Advice Proof Systems

854 views • 69 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

1.03k views • 66 slides
Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 24, 2019 Certificates What makes a problem hard? Certificate angle: can one efficiently check an

1.11k views • 107 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &

1.91k views • 167 slides
Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open

1.21k views • 91 slides
Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Introduction Graphical Definitions The R Operation Convergence Proof Equivalence to Counterterms Power Counting Applications Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with applications to lattice

557 views • 44 slides
Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics of the AS CR, Prague Logic Colloquium 2007, Wrocaw p. 1 Propositional proof complexity Studies efficiency (absolute or relative) of proof

302 views • 18 slides
Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
Lattice Computing in Hybrid Intelligent Systems Manuel Graa Computational Intelligence Group,

Lattice Computing in Hybrid Intelligent Systems Manuel Graa Computational Intelligence Group,

Introduction Lattice Associative Memories Applications Concluding remarks Lattice Computing in Hybrid Intelligent Systems Manuel Graa Computational Intelligence Group, UPV/EHU December 4, 2012 Manuel Graa Lattice Computing in Hybrid

1.25k views • 86 slides
Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R =

Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R =

1 2 Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R = Z [ x ] = ( x 761 x 1); Daniel J. Bernstein small = all coeffs in { 1 ; 0 ; 1 } ; Tanja Lange w = 286; q = 4591. Attacker

1.73k views • 140 slides
Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof Pietrzak 1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019. Proof Systems

1.44k views • 142 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace Sam Buss U.C. San Diego Virtual Seminar Proof Society proofsociety.org October 7, 2020 includes joint work with Anupam Das and Alexander Knop

367 views • 25 slides

More recommend