public key cryptosystems from the worst case shortest
play

Public-Key Cryptosystems from the Worst-Case Shortest Vector - PowerPoint PPT Presentation

Aug 24, 2022 •162 likes •908 views

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

  1. Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI → Georgia Tech Impagliazzo’s World Workshop 1 / 16

  2. This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP 3 Proof & Future Work 2 / 16

  3. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 2 n b 1 � L = ( Z · b i ) i = 1 λ 3 / 16

  4. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 2 n b 1 � L = ( Z · b i ) i = 1 λ Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? 3 / 16

  5. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) λ i = 1 b 1 b 2 Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? 3 / 16

  6. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 1 n b 2 � L = ( Z · b i ) i = 1 λ γ · λ Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? Unique SVP ( γ - uSVP ) ◮ Given B with ‘ γ -unique’ shortest vector, find it. 3 / 16

  7. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] 4 / 16

  8. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] ◮ For γ = poly ( n ) , best algorithm is 2 n time & space [AKS01] 4 / 16

  9. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] ◮ For γ = poly ( n ) , best algorithm is 2 n time & space [AKS01] uSVP √ n γ = 4 n 1 . 5 ?? ∈ coAM crypto NP-hard [AD97/07,Reg03] [Cai98] 4 / 16

  10. Taxonomy of Lattice-Based Crypto ‘minicrypt’ OWF [Ajt96,. . . ] Sigs [LM08,GPV08] ID schemes [MV03,Lyu08] 5 / 16

  11. Taxonomy of Lattice-Based Crypto ‘minicrypt’ OWF [Ajt96,. . . ] Sigs [LM08,GPV08] ID schemes [MV03,Lyu08] ☞ GapSVP etc. hard 5 / 16

  12. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] ☞ GapSVP etc. hard 5 / 16

  13. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09], KDM [ACPS09], HIBE [P09]) ☞ GapSVP etc. hard 5 / 16

  14. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09], KDM [ACPS09], HIBE [P09]) ☞ GapSVP etc. hard ☞ uSVP hard ☞ GapSVP etc. quantum -hard 5 / 16

  15. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 6 / 16

  16. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 ≈ � a 1 , s � mod q a 1 a 2 , b 2 ≈ � a 2 , s � mod q . . . 6 / 16

  17. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n 6 / 16

  18. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n ◮ Decision: distinguish from uniform ( a i , b i ) 6 / 16

  19. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n ◮ Decision: distinguish from uniform ( a i , b i ) State of the Art ( n /α ) -GapSVP etc. ≤ search-LWE ≤ decision-LWE ≤ crypto quantum prime q = poly ( n ) [R05,PW08,GPV08, PVW08,AGV09,ACPS09,. . . ] [Reg05] [BFKL94,R05] 6 / 16

  20. Our Results First public-key encryption based on classical GapSVP hardness 7 / 16

  21. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors 7 / 16

  22. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n 7 / 16

  23. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 7 / 16

  24. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 2 LWE search = decision for large q [ ≫ poly ( n ) ] ⇒ GapSVP-hardness of prior LWE-based crypto [Reg05,. . . ] 7 / 16

  25. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 2 LWE search = decision for large q [ ≫ poly ( n ) ] ⇒ GapSVP-hardness of prior LWE-based crypto [Reg05,. . . ] 3 New LWE-based chosen ciphertext-secure encryption ⋆ Much simpler, milder assumption than prior CCA [PW08] 7 / 16

  26. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 BDD L ∗ classical LWE 8 / 16

  27. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q u a n t u m BDD BDD L ∗ L ∗ classical classical LWE LWE 8 / 16

  28. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q q u u a a n n t t u u m m BDD BDD L ∗ L ∗ classical classical LWE LWE 8 / 16

  29. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q q u u a a n n t t u u m m BDD BDD L ∗ L ∗ classical classical GapSVP SIVP LWE LWE 8 / 16

  30. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L 9 / 16

  31. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 9 / 16

  32. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 4 Returns x — we already knew that! x 9 / 16

  33. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 4 Returns x — we already knew that! ✔ Quantum can x “uncompute” x 9 / 16

  34. Our Approach New way of solving GapSVP in a reduction 10 / 16

  35. Our Approach New way of solving GapSVP in a reduction “The Usual” x y y BDD ( LWE ) x 10 / 16

  36. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” x y x y y y BDD BDD ( LWE ) ( LWE ) x ?? 10 / 16

  37. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y y y BDD BDD ( LWE ) ( LWE ) x ?? 10 / 16

  38. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y SO WHAT! y y When λ ≪ d , oracle cannot guess x BDD BDD ⇓ ( LWE ) ( LWE ) Distinguishes large λ from small x ?? 10 / 16

  39. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y SO WHAT! y y When λ ≪ d , oracle cannot guess x BDD BDD ⇓ ( LWE ) ( LWE ) Distinguishes large λ from small x ?? ◮ View as [GoldGold98] AM proof between reduction and oracle 10 / 16

  40. Technical Obstacles 1 What about in BDD → LWE reduction? (No quantum allowed!) 11 / 16

  41. Technical Obstacles 1 What about in BDD → LWE reduction? (No quantum allowed!) ⋆ Use [GPV08] sampling algorithm with ‘best available’ basis for L ∗ . 11 / 16

Recommend

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri Chechik 2 Sebastian Krinninger 3 1 Hebrew University of Jerusalem 2 Tel-Aviv University 3 Max Planck Institute for Informatics Saarland Informatics

918 views • 65 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design & Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B: Heapsort and Quicksort I sorts in place , is stable Kyriakos Kalorkoti mergeSort I worst-case running time: ( n lg ( n )) School of Informatics

334 views • 4 slides
Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre

Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre

The problem and its history Solution of the Problem Localisation and neighbourhood of worst case distributions Information Geometry in Mathematical Finance: Model Risk, Worst and Almost Worst Scenarios Imre Csisz ar Thomas Breuer PPE

456 views • 21 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert Manuel Heusner University of Basel July 19th, 2018 Introduction Theoretical Results Experimental Results Conclusion Motivation A [Hart et

535 views • 22 slides
On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud & Carine

On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud & Carine

On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud & Carine Pivoteau LIGM Universit Paris-Est Marne-la-Valle & CNRS 20/08/2018 N. Auger, V. Jug, C. Nicaud & C. Pivoteau On the Worst-Case

1.11k views • 67 slides
From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms Maria-Florina Balcan, PI Avrim Blum, Co-PI Tom M Mitchell, Co-PI Students Travis Dick Nika Haghtalab Hongyang Zhang Motivation Machine learning

443 views • 22 slides
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

2.51k views • 157 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides

More recommend