on algebraic variants of the lwe problem
play

On algebraic variants of the LWE problem Damien Stehl e Based on - PowerPoint PPT Presentation

Mar 26, 2023 •394 likes •1.04k views

Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion On algebraic variants of the LWE problem Damien Stehl e Based on joint works with M. Rosca, A. Sakzad, R. Steinfeld and A. Wallet Figures borrowed from M. Rosca and A.

  1. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion On algebraic variants of the LWE problem Damien Stehl´ e Based on joint works with M. Rosca, A. Sakzad, R. Steinfeld and A. Wallet Figures borrowed from M. Rosca and A. Wallet ENS de Lyon , Bitdefender, U. Monash ICERM, April 2018 Damien Stehl´ e On algebraic variants of LWE 24/04/2018 1/32

  2. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion What is this talk about Signatures PKE FHE Hash SIS LWE IBE [Ajt96] [Reg05] ApproxSVP SIS and LWE are lattice problems that are convenient for cryptographic design. We’ll focus on “efficient” variants of LWE. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 2/32

  3. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE [Reg05] LWE parameters: m ≥ n ≥ 1, q ≥ 2 and α > 0. m s s find A A + , e n ֓ U ( Z m × n A ← ), q ֓ U ( Z n s ← q ), α q Gaussian error distribution D α q ֓ D m e ← α q . Typical parameters : n proportional to the bit-security, q = n Θ(1) , m = Θ( n log q ), α ≈ √ n / q . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 3/32

  4. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE [Reg05] LWE parameters: m ≥ n ≥ 1, q ≥ 2 and α > 0. m s s find A A + , e n ֓ U ( Z m × n A ← ), q ֓ U ( Z n s ← q ), α q Gaussian error distribution D α q ֓ D m e ← α q . Typical parameters : n proportional to the bit-security, q = n Θ(1) , m = Θ( n log q ), α ≈ √ n / q . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 3/32

  5. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Search LWE as a Closest Vector Problem variant m s s find A A + , e n A defines the Construction-A lattice L q ( A ) = A Z n q + q Z m . As + e mod q is a point near that lattice. Finding s is finding the closest vector in L q ( A ). LWE is CVP for a uniformly sampled Construction-A lattice, a random lattice vector and a Gaussian lattice offset. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 4/32

  6. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Decision LWE Decide whether a given ( A , b ) is uniformly sampled or of the form ( A , As + e ) with A and s uniform and e sampled from D m α q . This is a distribution distinguishing problem. More convenient for cryptographic design. There are poly-time reductions between search-LWE and decision-LWE [Re05,MiMo11] . [During the talk, I will focus on the search variant] Damien Stehl´ e On algebraic variants of LWE 24/04/2018 5/32

  7. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Decision LWE Decide whether a given ( A , b ) is uniformly sampled or of the form ( A , As + e ) with A and s uniform and e sampled from D m α q . This is a distribution distinguishing problem. More convenient for cryptographic design. There are poly-time reductions between search-LWE and decision-LWE [Re05,MiMo11] . [During the talk, I will focus on the search variant] Damien Stehl´ e On algebraic variants of LWE 24/04/2018 5/32

  8. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion (for α q ≥ 2 √ n ) Hardness results on LWE The Approximate Shortest Vector Problem ApproxSIVP γ : Given B ∈ Z n × n defining L , find ( b i ) i ≤ n in L lin. indep. such that max � b i � ≤ γ · λ n ( L ). Regev’s worst-case to average-case reduction For q prime and ≤ n O (1) , there is a quantum poly-time reduction from ApproxSIVP γ in dimension n to LWE n , m , q ,α , with γ ≈ n /α . Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α · log( n log q Time ≈ exp log 2 α ) Damien Stehl´ e On algebraic variants of LWE 24/04/2018 6/32

  9. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion (for α q ≥ 2 √ n ) Hardness results on LWE The Approximate Shortest Vector Problem ApproxSIVP γ : Given B ∈ Z n × n defining L , find ( b i ) i ≤ n in L lin. indep. such that max � b i � ≤ γ · λ n ( L ). Regev’s worst-case to average-case reduction For q prime and ≤ n O (1) , there is a quantum poly-time reduction from ApproxSIVP γ in dimension n to LWE n , m , q ,α , with γ ≈ n /α . Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α · log( n log q Time ≈ exp log 2 α ) Damien Stehl´ e On algebraic variants of LWE 24/04/2018 6/32

  10. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE is “inefficient” Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α log( n log q Time ≈ exp log 2 α ) Representing an LWE instance is quadratic in the bit-security. One then performs (at least) matrix-vector multiplications... Frodo: submission to the NIST post-quantum standardization process public-key and ciphertexts ≈ 10 kB encryption and decryption ≈ 2 million cycles. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 7/32

  11. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE is “inefficient” Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α log( n log q Time ≈ exp log 2 α ) Representing an LWE instance is quadratic in the bit-security. One then performs (at least) matrix-vector multiplications... Frodo: submission to the NIST post-quantum standardization process public-key and ciphertexts ≈ 10 kB encryption and decryption ≈ 2 million cycles. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 7/32

  12. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Road-map The Learning With Errors problem Algebraic variants of the LWE problem On Polynomial-LWE and Ring-LWE The Middle-Product-LWE problem Damien Stehl´ e On algebraic variants of LWE 24/04/2018 8/32

  13. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Take structured matrices! Damien Stehl´ e On algebraic variants of LWE 24/04/2018 9/32

  14. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  15. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  16. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  17. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Hardness of P-LWE [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP γ for ideals of Z [ x ] / f to search P-LWE f . The error rate α is proportional to γ and EF( f ) := max i < 2 n � x i mod f � . This is an adaptation of Regev’s ac-wc reduction Vacuous if ApproxSVP for ideals of Z [ x ] / f is easy Damien Stehl´ e On algebraic variants of LWE 24/04/2018 11/32

  18. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Hardness of P-LWE [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP γ for ideals of Z [ x ] / f to search P-LWE f . The error rate α is proportional to γ and EF( f ) := max i < 2 n � x i mod f � . This is an adaptation of Regev’s ac-wc reduction Vacuous if ApproxSVP for ideals of Z [ x ] / f is easy Damien Stehl´ e On algebraic variants of LWE 24/04/2018 11/32

  19. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Ideal-SVP [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP for ideals of Z [ x ] / f to search P-LWE f . The reduction may be vacuous if ApproxSVP for ideals of Z [ x ] / f is easy For large approx. factors and some f ’s, faster algorithms are known for such lattices [see L´ eo’s talk] This wouldn’t necessarily impact the P-LWE f hardness The situation is not necessarily uniform across all f ’s Damien Stehl´ e On algebraic variants of LWE 24/04/2018 12/32

Recommend

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only give answers. Pablo Picasso 1 Fall 2010 Topics to Be Discussed Topics to Be Discussed This unit requires the knowledge of eigenvalues This

786 views • 76 slides
Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger University of Basel April 29, 2020 Other Halting Problem Variants Rices Theorem Summary Other Halting Problem Variants Other Halting

675 views • 45 slides
Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin Department of Mathematics, Iowa State University Feb 9, 2017 Final Defense Zero forcing and their applns to the min rank problem 1/47 Department

1.24k views • 92 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants Nicolas Jozefowiez 1 , Gilbert Laporte 2 , Fr eric Semet 3 ed 1. LAAS-CNRS, INSA, Universit e de Toulouse, Toulouse, France,

345 views • 21 slides
Goal Goal: Illustrate how a problem from algebraic geometry can be approached using combinatorics

Goal Goal: Illustrate how a problem from algebraic geometry can be approached using combinatorics

The combinatorial Problem The cones U and L for the space of phylogenetic trees The algebraic geometry story A combinatorial approach to the study of divisors on M 0 , n Laura Escobar Encuentro Colombiano de Combinatoria 2012 June 14, 2012

533 views • 26 slides
Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem Classification How many meshes? Two: Pairwise registration More than two: multi-view registration Initial registration available? Yes: Local

1.1k views • 50 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al. Quadrat, Ar.

A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al. Quadrat, Ar.

Algebraic Riccati Equations for the optimal control problem A new algebraic description The case of 3 order systems A practical example Conclusion and persp A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al.

554 views • 31 slides
Character Polynomials Problem From Stanleys Positivity Problems in Algebraic

Character Polynomials Problem From Stanleys Positivity Problems in Algebraic

Character Polynomials Problem From Stanleys Positivity Problems in Algebraic Combinatorics Problem 12: Give a combinatorial interpretation of the row sums of the character table for S n (combinatorial proof of non-negativity)

735 views • 28 slides
A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee ENS de Lyon June 27, 2019 Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23 Approximate Common-Divisor

459 views • 29 slides
Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental

Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental

Background material Problem formulation Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental Triangular Decomposition Matthew England (The University of Bath) Joint work with: R. Bradford, J.H.

1.07k views • 68 slides
A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic

A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic

A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic geometry Simons Institute, Berkeley, December 16, 2015 Pierre Lairez TU Berlin Introduction The homotopy method Un algorithme dterministe Smale 17th

549 views • 26 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs)

The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs)

The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs) Albert Atserias Universitat Polit` ecnica de Catalunya Barcelona, Spain Satisfiability Example : 15 variables and 40 clauses x 1 x 2 x 6 x 1

1.16k views • 88 slides
On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea GRASTA 2014 Joint work with Hans Bodlaender, Vincent Kreuzen, Stefan Kratsch and Seongmin Ok 1 / 22 On the variants

756 views • 31 slides
Algebraic Monoids and Their Hecke Algebras Jared Marx-Kuo, Vaughan McDonald, John M. OBrien,

Algebraic Monoids and Their Hecke Algebras Jared Marx-Kuo, Vaughan McDonald, John M. OBrien,

Algebraic Monoids and Their Hecke Algebras Jared Marx-Kuo, Vaughan McDonald, John M. OBrien, &amp; Alexander Vetter University of Minnesota REU in Algebraic Combinatorics August 2, 2018 Problem 6 Group (UMN) Algebraic Monoids August 2,

855 views • 36 slides
On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK (pbo@dcs.qmul.ac.uk) (Joint work with Mart n Escard o) Domains IX, Brighton 22 September 2008 On Variants of

744 views • 27 slides
Covering Tours with Turn Cost: Variants, Approximation and Practical Solution S andor P.

Covering Tours with Turn Cost: Variants, Approximation and Practical Solution S andor P.

Institute of Operating Systems and Computer Networks Covering Tours with Turn Cost: Variants, Approximation and Practical Solution S andor P. Fekete and Dominik Krupke EuroCG2017, Malm o, 05.04.2017 Introduction Problem Integer

770 views • 27 slides
Algebraic index theorems Polyvector fields Formality for cochains Index problem Examples

Algebraic index theorems Polyvector fields Formality for cochains Index problem Examples

Algebraic index theorems Ryszard Nest L algebras Examples Deformation functor Algebraic index theorems Polyvector fields Formality for cochains Index problem Examples Ryszard Nest Local trace density Formality for chains

972 views • 75 slides
Undecidability everywhere Wang tiles Integer matrices 3 x + 1 problem Bjorn Poonen Algebraic

Undecidability everywhere Wang tiles Integer matrices 3 x + 1 problem Bjorn Poonen Algebraic

Undecidability everywhere Bjorn Poonen Two kinds of undecidability Integration Undecidability everywhere Wang tiles Integer matrices 3 x + 1 problem Bjorn Poonen Algebraic geometry Varieties Isomorphism problem Automorphisms

924 views • 40 slides
Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of

Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of

University of Cologne Institute of Virology Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of Virology with the method of direct sequencing only virus populations 20% can be detected. it

347 views • 15 slides
Steel stacking A problem in inventory management in the steel industry Jo ao Pedro Pedroso

Steel stacking A problem in inventory management in the steel industry Jo ao Pedro Pedroso

Problem description Solution methods Problem variants Conclusions Steel stacking A problem in inventory management in the steel industry Jo ao Pedro Pedroso International Symposium on Mathematics of Logistics TUMSAT, Japan, November 2011

869 views • 47 slides
Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56 Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state

990 views • 78 slides

More recommend