on bounded distance decoding unique shortest vectors and
play

On Bounded Distance Decoding, Unique Shortest Vectors, and the - PowerPoint PPT Presentation

Apr 06, 2024 •945 likes •1.33k views

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set of linearly independent

  1. On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

  2. Lattices Lattice: A discrete additive subgroup of R n

  3. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  4. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  5. Why are Lattices Interesting? (In Cryptography) � � Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem � Possible to base cryptography on worst-case instances of lattice problems

  6. [Ajt '96,...] Minicrypt SIVP primitives

  7. Shortest Independent Vector Problem (SIVP) � Find n short linearly independent vectors

  8. Shortest Independent Vector Problem (SIVP) � Find n short linearly independent vectors

  9. Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

  10. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP

  11. Minimum Distance Problem (GapSVP) � Find the minimum distance between the vectors in the lattice

  12. Minimum Distance Problem (GapSVP) � d Find the minimum distance between the vectors in the lattice

  13. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP

  14. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  15. Unique Shortest Vector Problem (uSVP) � Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  16. Unique Shortest Vector Problem (uSVP) � Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  17. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  18. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n (quantum reduction) � GapSVP Cryptosystem Regev '05 ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  19. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n (quantum reduction) � GapSVP Cryptosystems Regev '05 Peikert '09 ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  20. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n n (quantum reduction) � [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  21. Bounded Distance Decoding (BDD) � Given a target vector that's close to the lattice, find the nearest lattice vector

  22. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n n (quantum reduction) � [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] 1 1 2 Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  23. Minicrypt SIVP primitives (quantum reduction) � GapSVP Crypto- BDD systems uSVP

  24. Cryptosystem Hardness Assumptions uSVP BDD GapSVP SIVP (quantum) O(n 2 ) O(n 2 ) O(n 2.5 ) O(n 3 ) Ajtai-Dwork '97 Regev '03 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Regev '05 - - - O(n 1.5 ) Peikert '09 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Implications of our results

  25. Lattice-Based Primitives Minicrypt Public-Key Cryptosystems [AD '97] (uSVP) � One-way functions [Ajt '96] � � [Reg '03] (uSVP) � Collision-resistant hash � � functions [Ajt '96,MR '07] [Reg '05] (SIVP and GapSVP under � quantum reductions) � Identification schemes � [MV '03,Lyu '08, KTX '08] [Pei '09] (GapSVP) � � Signature schemes [LM '08, � GPV '08] All Based on All Based on GapSVP and GapSVP quantum SIVP and SIVP Major Open Problem: Construct cryptosystems based on SIVP

  26. Reductions GapSVP BDD 1 1 2 uSVP

  27. Proof Sketch (BDD < uSVP) �

  28. Proof Sketch (BDD < uSVP) �

  29. Proof Sketch (BDD < uSVP) �

  30. Proof Sketch (BDD < uSVP) �

  31. Proof Sketch (BDD < uSVP) �

  32. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector

  33. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector

  34. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

  35. Open Problems � Can we construct cryptosystems based on SIVP − (SVP would be even better!) � � Can the reduction GapSVP < BDD be tightened? � Can the reduction BDD < uSVP be tightened?

  36. Thanks!

Recommend

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco Bonchi Carlos Castillo Aristides Gionis Context-aware Search use shortest-path distance in wikipedia links-graph! S h o r t e s t

685 views • 19 slides
Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of

Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of

Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of weights of all edges on the path path A, B, E, cost is 2+3=5 path A, B, C, E, cost is 2+1+4=7 How to find shortest distance path from a node

335 views • 6 slides
Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference

Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference

Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference Min-Plus Product Karl Bringmann , Fabrizio Grandoni, Barna Saha, Virginia Vassilevska Williams June 11, 2017 Bounded Differences (BD) Matrices

641 views • 22 slides
Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear

Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear

Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear Time Martin Kutz Max-Planck Institut fr Informatik Saarbrcken, Germany max planck institut Martin Kutz: Shortest non-trivial cycles on surfaces

946 views • 78 slides
STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO

STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO

STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO THERE ONCE WAS A YOUNG MAN FROM LYME WHO COULDN'T GET HIS LIMERICKS TO RHYME WHEN ASKED &quot;WHY NOT?&quot; IT WAS SAID THAT HE THOUGHT THEY WERE

256 views • 13 slides
Shortest Paths A priority queue will turn out to be useful for efficiency An example of

Shortest Paths A priority queue will turn out to be useful for efficiency An example of

2/21/2016 Dijkstras Algorithm The idea: reminiscent of BFS, but adapted to handle weights Grow the set of nodes whose shortest distance has been computed CSE373: Data Structures and Algorithms Nodes not in the set will have a

208 views • 8 slides
23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm,

23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm,

23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm, Floyd-Warshall Algorithm [Ottman/Widmayer, Kap. 9.5 Cormen et al, Kap. 24.1-24.3, 25.2-25.3] 644 River Crossing (Missionaries and Cannibals)

533 views • 38 slides
Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski,

Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski,

Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski, Przemysaw Uznaski and Laurent Viennot Inria University of Wrocaw Irif (Paris Univ.) Shortest-path oracle What is the shortest path from A to

440 views • 20 slides
Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig

Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig

Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig University of Waterloo Conference on Rings and Factorizations Graz, Feb 21, 2018 Outline Factorizations in noncommutative rings Non-unique factorizations

589 views • 34 slides
Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets and biangular lines Ferenc Szll osi szoferi@gmail.com This research has been carried out while the speaker was with the Department of

689 views • 34 slides
Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799

Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799

30 Mar 15 A distance matrix allows us to create clusters Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799 and are the second most similar 0.265 0 0.534 and are the third most

315 views • 3 slides
1 Dynamic Programming Dynamic Programming is a technique for solving problems

1 Dynamic Programming Dynamic Programming is a technique for solving problems

All Shortest Paths Questions from exercises and exams The Problem: G = (V, E, w) is a weighted directed graph. We want to find the shortest path between any pair of vertices in G. Example: find the distance between cities on a

431 views • 12 slides
6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics Hard-decision &amp; soft-decision decoding Performance issues: decoder complexity, post- decoding BER, free distance concept 6.02 Fall 2012

488 views • 20 slides
Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html #simplelist D. J. Bernstein University of Illinois at Chicago Thanks to: Cisco University Research Program And thanks to: NIST grant 60NANB10D263

580 views • 20 slides
Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit Vectors Homework 1 Vectors and Scalars Vector - quantity that has magnitude and direction e.g. displacement, velocity, acceleration, force

560 views • 16 slides
Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings and notes from prof. Tom Cormen Single Source SP Context: directed graph G=(V ,E,w), weighted edges The shortest path (SP) between

881 views • 69 slides
Axial vectors and transversal short-distance constraints Martin Hoferichter Institute for Nuclear

Axial vectors and transversal short-distance constraints Martin Hoferichter Institute for Nuclear

Axial vectors and transversal short-distance constraints Martin Hoferichter Institute for Nuclear Theory University of Washington Third Plenary Workshop of the Muon g 2 Theory Initiative INT Workshop on Hadronic contributions to ( g 2 )

383 views • 11 slides
Helpful Online Presentation Hints Distance learning is a unique environment

Helpful Online Presentation Hints Distance learning is a unique environment

Helpful Online Presentation Hints Distance learning is a unique environment Presentation is a balance between content and style Its often difficult to step back and put yourself in the audiences seat What makes the online

287 views • 3 slides
4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house

4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house

4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house Shortest Path Problem Shortest path network. Directed graph G = (V, E). Source s, destination t. Length e = length of edge e. Shortest

226 views • 6 slides
Non-metric Methods We have focused on real-valued feature vectors or discrete valued numbers

Non-metric Methods We have focused on real-valued feature vectors or discrete valued numbers

Non-metric Methods We have focused on real-valued feature vectors or discrete valued numbers with a natural measure of distance between vectors (metric) Some classification problems describe a pattern by a list of attributes: a fruit may

689 views • 26 slides
Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest

Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest

Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest path properties Dijkstras algorithm (7.1.1) 0 A 4 8 Algorithm 2 8 2 3 Edge relaxation 7 1 B C D The Bellman-Ford

348 views • 4 slides
Challenges in Distributed Shortest Paths Algorithms Danupon Nanongkai KTH Royal Institute of

Challenges in Distributed Shortest Paths Algorithms Danupon Nanongkai KTH Royal Institute of

Challenges in Distributed Shortest Paths Algorithms Danupon Nanongkai KTH Royal Institute of Technology, Sweden 1 SIROCCO 2016 About this talk Main focus s-t Distance Known (1+ e )-approx. in Q (n 1/2 +D) time Open problem Technical

1.34k views • 98 slides
Improved Reduction from BDD to uSVP Shi Bai; Damien Stehl; Weiqiang Wen ENS de Lyon Improved

Improved Reduction from BDD to uSVP Shi Bai; Damien Stehl; Weiqiang Wen ENS de Lyon Improved

Rump Session 2016 Improved Reduction from BDD to uSVP Shi Bai; Damien Stehl; Weiqiang Wen ENS de Lyon Improved reduction from BDD to U SVP Shi Bai, Damien Stehl e and Weiqiang Wen Bounded Distance Decoding (BDD ) Let &gt; 0. Given

322 views • 7 slides
Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are

Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are

g e o m e t r i c v e c t o r s g e o m e t r i c v e c t o r s Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are equivalent if they have the same magnitude and direction. This means that vectors

281 views • 4 slides

More recommend