pseudorandomness of ring lwe for any ring and modulus
play

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert - PowerPoint PPT Presentation

Oct 29, 2023 •246 likes •1.08k views

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

  1. Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC’17) 10 March 2017 1 / 14

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 14

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 14

  4. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 2 / 14

  5. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) (Images courtesy xkcd.org) 2 / 14

  6. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions (Images courtesy xkcd.org) 2 / 14

  7. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions ◮ Solutions to ‘holy grail’ problems in crypto: FHE and related (Images courtesy xkcd.org) 2 / 14

  8. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α 3 / 14

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � ∈ Z q q a 2 ← Z n , b 2 ≈ � a 2 , s � ∈ Z q q . . . 3 / 14

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq 3 / 14

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 14

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 14

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Classically , GapSVP ≤ search-LWE (worse params) [P’09,BLPRS’13] 3 / 14

  14. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] 4 / 14

  15. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : 4 / 14

  16. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] 4 / 14

  17. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] 4 / 14

  18. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] 4 / 14

  19. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] 4 / 14

  20. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] 4 / 14

  21. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] 4 / 14

  22. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] ◮ Increasing q, α yields a weaker ultimate hardness guarantee. 4 / 14

  23. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q    . . . 5 / 14

  24. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. 5 / 14

  25. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys: Ω( n 2 log 2 q ) bits:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 5 / 14

  26. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one cheap product          ∈ Z n a i  ⋆ s  + e i  = b i         q operation?     . . . . . . . . . . . . 6 / 14

Recommend

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms II. Universal localisations III. Recollements Throughout, A will denote a ring (with unit) and K a field. I. Ring epimorphisms Ring epimorphisms

418 views • 5 slides
Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res esona onator tors s Initial patterning and update by Agn iuiulkait Uppsala University Motivation Fabricate magneto-plasmonic

321 views • 28 slides
Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB Ring-HF 1 Elektrische Anlagen im AEB Ring HF BG1016 Sicherheitsbelehrung AEB Ring-HF 2 Elektr. Anlagen im BG1016 Netzgerte fr

290 views • 17 slides
thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

A clitellum is a band of thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released After eggs are fertilized in the ring, the ring slips off the worm's body and forms a protective cocoon.

218 views • 7 slides
in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring

in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring

in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring individually 227mmx170mmx38mm set in soft roll soft roll ring section 35mm x35mm * SC002 8 on earring pendant case each lift out inner pad set

605 views • 5 slides
Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter extended to FDDI (Fiber Distributed Data Interface) and 802.17 (Resilient Packet Ring) standards Nodes connected in a ring Data always flows in

809 views • 16 slides
Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a

Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a

Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a n OL e a ry, Polic y Ana lyst T he c a se fo r wo rk sha ring Une mployme nt Re ma ins Hig h Sinc e E nd of Re c e ssion 12% 10% Une mplo

549 views • 21 slides
Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to

Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to

Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to rule them all, One Ring to find them, packages on various hardware and software platforms One Ring to bring them all and in the darkness bind them

229 views • 10 slides
Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe

Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe

Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe Conte tents ts Back ground Requirements for FFAG storage ring Magnet design method 2D & 3D magnetic field calculation and

413 views • 25 slides
Ring-on-ring strength measurements on rectangular glass slides Article in Journal of Materials

Ring-on-ring strength measurements on rectangular glass slides Article in Journal of Materials

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/253583431 Ring-on-ring strength measurements on rectangular glass slides Article in Journal of Materials Science January 2007 DOI:

272 views • 4 slides
MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert

MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert

MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert Jiang Guoman Liu Xuehui Dai (ZTE) Purpose & Overview MPLS TP Ring Optimized Node/Link Fault Detection & Localization Mechanism 1)

405 views • 21 slides
High Frequency Voltage Controlled Ring Oscillators in Standard CMOS Yalcin Alper Eken PhD

High Frequency Voltage Controlled Ring Oscillators in Standard CMOS Yalcin Alper Eken PhD

High Frequency Voltage Controlled Ring Oscillators in Standard CMOS Yalcin Alper Eken PhD Candidate in School of ECE GaTech July 7 th , 2003 1 Agenda Integrated VCO types Ring oscillator theory Important characteristics of ring

514 views • 18 slides
Magneto-optical characteristics of Au-Ni metasurface 1. . Gold d ring g stru ructure cture

Magneto-optical characteristics of Au-Ni metasurface 1. . Gold d ring g stru ructure cture

Magneto-optical characteristics of Au-Ni metasurface 1. . Gold d ring g stru ructure cture One ring structure Double ring structure The design optimization 2. . Hybrid Au-Ni Ni ring ng stru ruct cture re The design

129 views • 11 slides
A MASKED RING-LWE IMPLEMENTATION Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid

A MASKED RING-LWE IMPLEMENTATION Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid

A MASKED RING-LWE IMPLEMENTATION Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, Ingrid Verbauwhede COSIC/KU Leuven CHES 2015, Saint-Malo, FR 1 un protected ring-LWE decryption r2 m=th[INTT(c 1 *r 2 + c 2 )] 2 un protected ring-LWE

477 views • 36 slides
ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo staphylococcal ring worm herpes 3-4 weeks 2-3 weeks impetigo staphylococcal 1 week 1 week wrestlers are 16x more likely than other athletes to

613 views • 60 slides
Mode l Pre dic tive Control for E ne rg y- e ffic ie nt Ma ne uve ring of Conne c te d

Mode l Pre dic tive Control for E ne rg y- e ffic ie nt Ma ne uve ring of Conne c te d

Mode l Pre dic tive Control for E ne rg y- e ffic ie nt Ma ne uve ring of Conne c te d Autonomous Ve hic le s So uthwe st Re se a rc h I nstitute Unive rsity o f Mic hig a n T o yo ta Mo to r E ng ine e ring & Ma nufa c turing , No

654 views • 6 slides
Oleksiy Dolinskyy May 22, 2013 Outline Tasks of the CR Requirements to the ring

Oleksiy Dolinskyy May 22, 2013 Outline Tasks of the CR Requirements to the ring

Oleksiy Dolinskyy May 22, 2013 Outline Tasks of the CR Requirements to the ring Optics solutions Corrections Injection / extraction Overview FAIR layout Collector Ring Magnetic rigidity 13 Tm Circumference

879 views • 48 slides

More recommend