problems
play

PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 - PowerPoint PPT Presentation

Sep 28, 2022 •362 likes •732 views

MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 (Tokyo Institute ofTechnology) Agenda Background Our Results Conclusion Agenda Background Lattices Lattice

  1. MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 (Tokyo Institute ofTechnology)

  2. Agenda  Background  Our Results  Conclusion

  3. Agenda  Background  Lattices  Lattice problems  Lattice-based cryptosystems  Motivation  Our Results  Conclusion

  4. Lattices  Given: B =[ b 1 ,..., b n ]  L( B ) := {Σ i α i b i | α i ∈ Z for all i} L b 1 b 2 0

  5. SVP (ShortestVector Problem) SVP: Given a basis B of a lattice L, find a shortest non-zero vector v in L b 1 2 b 1 -3 b 2 b 2 0

  6. uSVP (unique ShortestVector Problem) v: 2-unique v 0

  7. Hardness of uSVP  If f < g, f-uSVP is not easier than g-uSVP  v :g-unique  v :f-unique  f=1  NP-hard [Kumar and Sivakumar ‘01]  f=n 1/4  coAM (seems not NP-hard) [Cai ‘98]  f=poly(n)  ?  Assumption:  If f=poly(n), f-uSVP is intractable in the worst-case

  8. Lattice-BasedCryptosystems  Based on lattice problems  SVP, uSVP, CVP, and etc  Advantages  Fast encryption and decryption  (Seemes) hard to attack with quantum power  Two types  TypeA: efficient, but no security proofs  Type B: security proofs, but inefficient

  9. RelatedWorks Type A Type B AD [Ajtai and Dwork ’97] GGH AD GGH (Errorless version of AD cryptosystem) [Goldreich, Goldwasser, and Halevi ‘98] [Goldreich, Goldwasser, and Halevi ‘98] NTRU [Hoffstein, Pipher, and Silverman ‘98] Regev04 [Regev ‘04] Regev05 Ajtai 05 [Regev ’05] [Ajtai ’05]

  10. Type B  AD GGH , Regev04, Regev05, and Ajtai05  Advantage  Provable security  with average-case/worst-case connection (except Ajtai05)  Disadvantages  |pk| is huge  |plaintext|=1

  11. Motivation  Towards practical lattice-based cryptosystems in Type B 1. |pk|  small 2. |plaintext|  large  w/o changing |cipher|

  12. Agenda  Background  Our Results  Summary  Review of Regev04  Our technique  Analysis of trade-off  Pseudohomomorphism  Conclusion

  13. Our Results  Results  Proposal of multi-bit versions ofType B  AD GGH , Regev04, Regev05, and Ajtai05  Analysis of the trade-off  between the size of plaintext and security levels  Pseudohomomorphism  AD GGH , Regev04, Regev05, and Ajtai05

  14. Eg: Regev04  Security parameter: n  n is the dimension of lattices  Key Generation  Encryption  Decryption  Decryption Errors  Security Reduction

  15. Regev04 - Key Generation 1  Choose private priod d  Consider periodic Gaussian distrib. with variance α 2 Probability N=2 8n2 0 d

  16. Regev04 - Key Generation 2  Choose a 1 ,…,a m according to the distribution 0 N

  17. Regev04 - Key Generation 3  Decide the index k  a k /2 must be in “bottom” 0 N a k /2 a k

  18. Regev04 - Key Generation 4  Secret Key: d  Public Key: a 1 ,…,a m ,k 0 d N a k /2 a k

  19. Regev04 - Encryption of “0”  r ∈ R {0,1} m  E(0) = Σ i r i a i mod N 0 d N

  20. Regev04 - Encryption of “1”  r ∈ R {0,1} m  E(1) = a k /2 + Σ i r i a i mod N 0 d N a k /2

  21. Regev04 - Decryption 1  Received ciphertext is c ∈ {0,…,N -1}  Consider c mod d 0 d

  22. Regev04 - Decryption 2  Decrypt to “0” 0 d

  23. Regev04 - Decryption 3  Decrypt to “1” 0 d

  24. Regev04 - Decryption Errors  Consider c mod d 0 d

  25. Regev04 - Security  E(0) vs. E(1) with pk  E(0) vs. U with pk  E(0) vs. U with pk  O(n/α) -uSVP in the worst case  α 2 is the variance of distrib. in key generation 0 d N a k /2

  26. Regev04 - Security  E(0) vs. E(1) with pk  E(0) vs. U with pk  E(0) vs. U with pk  O(n/α) -uSVP in the worst case  α 2 is the variance of distrib. in key generation O(n/α) -uSVP in the worst case 0 d N a k /2

  27. OurTechnique  #plaintext : 2  p  Increase # of “waves”  Same |ciphertext| and |pk|

  28. Multi Bit - Illustration  E(0): Blue  E(1): Green 0 d

  29. Multi Bit - Illustration  Increase # of “waves”  with a k =(p+1)d+e 0 d a k /p

  30. Multi Bit - Illustration  make “waves” thin to decrease decrytpion errors  Variance: α 2  ( α/p) 2 in key generation 0 d a k /p

  31. Multi Bit - Illustration  Variance: α 2  ( α/p) 2  Underlying Problem: O(n/α) -uSVP  O(pn/α) -uSVP 0 d a k /p

  32. Comparison Regev04 Ours plaintext 1 log p  8n 2 ciphertext  Õ(n 4 ) public key  Õ(n 2 ) secret key Õ(n 1.5 )-uSVP Õ( p n 1.5 )-uSVP security

  33. Comparison - 2 AD GGH Ours Regev04 Ours plaintext 1 log p 1 log p O(n 11 )- O( p n 11 )- Õ(n 1.5 )- Õ( p n 1.5 )- security uSVP uSVP uSVP uSVP Regev05 Ours Ajtai05 Ours plaintext 1 log p 1 log p SVP Õ(n1.5) SVP Õ( p n1.5) DA DA’ security

  34. Homomorphism of PKE  E(m)+E(m’)=E(m+m’)  cf. RSA, Goldwasser-Micali,...  Do R04 and ours have homomorphism?  No  Pseudo-homomorphism

  35. Pseudo-homomorphism  D(blue)=0, D(green)=1  D(blue+green)=1 , D(green+green)=0 0 d a k /2 mod d

  36. Conclusions  Results  Proposal of multi-bit versions ofType B  AD GGH , Regev04, Regev05, and Ajtai05  Analysis of the trade-off  between the size of plaintext and security levels  Pseudo-homomorphism  AD GGH , Regev04, Regev05, and Ajtai05  Open Problem  Q (n)-bit cryptosystems with a/w connection  We develop O(log n)-bit cryptosystems with a/w  It may require new idea

Recommend

Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems

Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems

Slide 1 / 142 Slide 2 / 142 Table of Contents Strategies &amp; Plans for Problem Solving Rate Problems Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems Pre-Algebra LCM / GCF Problems Combination

477 views • 24 slides
5. Network flow problems Example: Sailco Minimum-cost flow problems Transportation

5. Network flow problems Example: Sailco Minimum-cost flow problems Transportation

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 5. Network flow problems Example: Sailco Minimum-cost flow problems Transportation problems Shortest/longest path problems Max-flow problems Integer solutions

541 views • 30 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known. E.g., NP-hard problems such as machine scheduling, bin packing, 0/1 knapsack. Is this necessarily bad? Data encryption relies on difficult

721 views • 15 slides
MA/CSSE 473 Day 40 Problems Decision Problems P and NP MA/CSSE 473 Day 40 HW 15 Due at

MA/CSSE 473 Day 40 Problems Decision Problems P and NP MA/CSSE 473 Day 40 HW 15 Due at

MA/CSSE 473 Day 40 Problems Decision Problems P and NP MA/CSSE 473 Day 40 HW 15 Due at 11:59 PM tonight (it's a little different!); late day until 11:59 PM Saturday. Fill out the Course evaluation form If everybody in a section

323 views • 17 slides
Introduction to Data Science: Common observation to be religion, income, frequency where sex and

Introduction to Data Science: Common observation to be religion, income, frequency where sex and

Tidying data Common problems in messy data Tidy data and the ER model Common problems in messy data Common problems in messy data Common problems in messy data Common problems in messy data Common problems in messy data Common problems in

680 views • 21 slides
Boundary value problems What problems does boundary value testing have? ECT2 Boundary

Boundary value problems What problems does boundary value testing have? ECT2 Boundary

Equivalence Class Testing Chapter 6 Boundary value problems What problems does boundary value testing have? ECT2 Boundary value problems 2 Boundary Value Testing derives test cases with Serious gaps Massive redundancy

696 views • 36 slides
Engineering Problems Identifying problems appropriate for engineering solutions Some Examples of

Engineering Problems Identifying problems appropriate for engineering solutions Some Examples of

Engineering Problems Identifying problems appropriate for engineering solutions Some Examples of Engineering Problems and Projects that follow the Design Process Identify Problem -&gt; Define Requirements -&gt; Design a Solution (PSU

590 views • 25 slides
Our thesis is all of our problems ultimately are theological ones. To some degree, our problems

Our thesis is all of our problems ultimately are theological ones. To some degree, our problems

Our thesis is all of our problems ultimately are theological ones. To some degree, our problems always stem from either not knowing or seeing who God is or forgetting who he is at the moment. Elisabeth Elliot has a wonderful, realistic, both

290 views • 10 slides
Equivalence Class Testing Chapter 6 Boundary value problems What problems does boundary value

Equivalence Class Testing Chapter 6 Boundary value problems What problems does boundary value

Equivalence Class Testing Chapter 6 Boundary value problems What problems does boundary value testing have? ECT2 Boundary value problems 2 Generates test cases with Serious gaps Massive redundancy ECT3 Motivation for

752 views • 44 slides
Satisfiability Solvers So far, weve been dealing with SAT problems that encode other

Satisfiability Solvers So far, weve been dealing with SAT problems that encode other

Structured vs. Random Problems Satisfiability Solvers So far, weve been dealing with SAT problems that encode other problems Most not as hard as # of variables &amp; clauses suggests Small crossword grid + medium-sized dictionary

419 views • 4 slides
4. Minimax and planning problems Optimizing piecewise linear functions Minimax problems

4. Minimax and planning problems Optimizing piecewise linear functions Minimax problems

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 4. Minimax and planning problems Optimizing piecewise linear functions Minimax problems Example: Chebyshev center Multi-period planning problems Example: building a

411 views • 25 slides
Sample Graph Problems Path problems. Graph Operations And Connectedness problems.

Sample Graph Problems Path problems. Graph Operations And Connectedness problems.

Sample Graph Problems Path problems. Graph Operations And Connectedness problems. Representation Spanning tree problems. Path Finding Another Path Between 1 and 8 Path between 1 and 8. 2 2 4 3 4 3 8 8 8 8 1 1 6 10

95 views • 9 slides
More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps We can now reduce 3SAT to a large number of problems, either directly or indirectly. Each reduction must be polytime. Usually we focus

871 views • 49 slides
E4.1 Graph Problems P, NP Automata Theory Theory Polynomial Reductions Turing Computability

E4.1 Graph Problems P, NP Automata Theory Theory Polynomial Reductions Turing Computability

Theory of Computer Science May 18, 2020 E4. Some NP-Complete Problems, Part I Theory of Computer Science E4. Some NP-Complete Problems, Part I E4.1 Graph Problems Gabriele R oger E4.2 Routing Problems University of Basel May 18, 2020

145 views • 10 slides
Decidability 12-0 Decidable Problems Interesting problems regarding regular

Decidability 12-0 Decidable Problems Interesting problems regarding regular

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Decidability 12-0 Decidable Problems Interesting problems regarding regular languages are

351 views • 20 slides
Wicked Problems &amp; Leadership Keith Grint The Problem with Change Do d ifferent kinds of

Wicked Problems &amp; Leadership Keith Grint The Problem with Change Do d ifferent kinds of

Wicked Problems &amp; Leadership Keith Grint The Problem with Change Do d ifferent kinds of problems require different kinds of change? 1. Critical Problems: Commander 2. Tame Problems: Management 3. Wicked Problems: Leadership Problems,

573 views • 23 slides
Undecidable problems I There quite a few undecidable problems For example, program verification

Undecidable problems I There quite a few undecidable problems For example, program verification

Undecidable problems I There quite a few undecidable problems For example, program verification is in general not solvable We will discuss an undecidable example called the halting problem November 17, 2020 1 / 11 A TM I A TM = { M ,

392 views • 11 slides
Chapter 2 Linear Ill-Posed Problems Observations from previous chapter Ill-Posed Problems in

Chapter 2 Linear Ill-Posed Problems Observations from previous chapter Ill-Posed Problems in

Linear Ill-Posed Problems Michael Moeller Chapter 2 Linear Ill-Posed Problems Observations from previous chapter Ill-Posed Problems in Image and Signal Processing Finite dimensional WS 2014/2015 linear operators Some functional analysis

1.29k views • 99 slides
NP-complete problems Informally, these are the hardest problems in the class NP CS 3813:

NP-complete problems Informally, these are the hardest problems in the class NP CS 3813:

NP-complete problems Informally, these are the hardest problems in the class NP CS 3813: Introduction to Formal If any NP-complete problem can be solved by a Languages and Automata polynomial time deterministic algorithm, then every

179 views • 3 slides
Constraint Satisfaction Problems Problems Artificial Intelligence AIMA 2 nd edition, chapter 5

Constraint Satisfaction Problems Problems Artificial Intelligence AIMA 2 nd edition, chapter 5

Constraint Satisfaction Problems Problems Artificial Intelligence AIMA 2 nd edition, chapter 5 Section 1 3 Hadi Moradi 1 Outline Constraint Satisfaction Problems (CSP) Backtracking search for CSPs B kt ki h f CSP Local

369 views • 17 slides
More on negative results We proved that the following problems are not in P: ATM

More on negative results We proved that the following problems are not in P: ATM

More on negative results We proved that the following problems are not in P: ATM Incompressible strings A certain language in EXP By reduction, we proved that more problems are not in P These problems do not include many we really

312 views • 27 slides
Constraint Satisfaction Problems Multi-dimensional Selection Problems Given a set of

Constraint Satisfaction Problems Multi-dimensional Selection Problems Given a set of

Constraint Satisfaction Problems Multi-dimensional Selection Problems Given a set of variables, each with a set of possible values (a domain), assign a value to each variable that either satisfies some set of constraints:

513 views • 12 slides

More recommend