trapdoors for lattices simpler tighter faster smaller
play

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele - PowerPoint PPT Presentation

May 11, 2023 •366 likes •1.2k views

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

  1. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 17

  4. Lattice-Based Cryptography = ⇒ Why? ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] ◮ Solve ‘holy grail’ problems like FHE [Gentry’09,. . . ] (Images courtesy xkcd.org) 2 / 17

  5. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q 3 / 17

  6. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] 3 / 17

  7. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] 3 / 17

  8. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } ( 0 , q ) O ( q , 0 ) 3 / 17

  9. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } ( 0 , q ) x O ( q , 0 ) 3 / 17

  10. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA-secure encryption . . . and not much else. 3 / 17

  11. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . 4 / 17

  12. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t mod q : find the unique preimage s (equivalently, e ) 4 / 17

  13. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ mod q : Invert g A ( s , e ) = s t A + e t mod q : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp ( −� x � 2 / s 2 ) . (equivalently, e ) 4 / 17

  14. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ mod q : Invert g A ( s , e ) = s t A + e t mod q : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp ( −� x � 2 / s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O 4 / 17

  15. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . 5 / 17

  16. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) 5 / 17

  17. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” 5 / 17

  18. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard 5 / 17

  19. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard model signatures [CHKP’10,R’10,B’10] ◮ CCA-secure encryption [PW’08,P’09] ◮ (Hierarchical) ID-based encryption [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Much more: [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] 5 / 17

  20. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] 5 / 17

  21. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known algorithms trade quality for efficiency 5 / 17

  22. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known algorithms trade quality for efficiency g − 1 A : [Babai’86] (tight,iterative,fp) vs [Babai’86] (looser,parallel,offline) f − 1 A : [Klein’01,GPV’08] (ditto) vs [P’10] (ditto) 5 / 17

  23. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 6 / 17

  24. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 6 / 17

  25. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . 6 / 17

  26. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 6 / 17

  27. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 4 Choose n , q so that finding β -bounded preimages is hard. 6 / 17

  28. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 4 Choose n , q so that finding β -bounded preimages is hard. ✔ Better dimension m & quality s = ⇒ “win-win-win” in security-keysize-runtime 6 / 17

  29. Our Contributions New “strong” trapdoor generation and inversion algorithms: 7 / 17

  30. Our Contributions New “strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inverses (cf. [A’99,AP’09] ) ⋆ Inversion: practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff 7 / 17

Recommend

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich Martinski February 10, 2014 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. 7 Steps to Implementing Lean

910 views • 37 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14

1.48k views • 78 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie

KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie

Backoff Models Data Structures Results KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie Mellon July 30, 2011 kheafield.com/code/kenlm Heafield KenLM: Faster and Smaller Language Model Queries

435 views • 41 slides
Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide

Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide

Chapter 14 Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide low-level details give high-level structure to program, easier to understand overall program flow enables separable, independent

353 views • 20 slides
Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger

Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger

Motivation Our Contributions Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger P . Sanders D. Schultes D. Delling 7th International Workshop on Experimental Algorithms R. Geisberger, P .

4.95k views • 30 slides
Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER.

Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER.

Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov lean.ohio.gov Facilitator: Y'vette Helm - Green Belt

630 views • 33 slides
YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov

YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov

YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov Objectives Start thinking Lean Introduce Lean concepts that can be used for daily improvements Basic knowledge on Lean tools for

1.01k views • 48 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world crypto+privacy summer school, Sibenik, 18/6/2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Ancient history singularities

501 views • 37 slides
Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole

Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole

Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole OReilly AI London, 2019 We showcase this approach by training an 8.3 billion parameter transformer language model with 8-way model parallelism and

827 views • 31 slides
WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya

WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya

Video @ bit.ly/io-webp WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya Grigorik igrigorik@google.com https://developers.google.com/speed/webp/ For an average page, images account for... 60% of

903 views • 36 slides
uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research Scientist, NEC Europe Ltd. Unikernels? Faster, smaller, better! 2 Unikernels? Faster, smaller, better! clip arts: clipproject.info Unikernels

1.14k views • 71 slides
Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU

Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU

Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU Storage instrs Costlier can per byte directly Cache(s) ~10s of cycles to access access (SRAM) Main memory ~100 cycles to access

1.07k views • 64 slides
New Circuit Minimization Techniques for Smaller and Faster AES SBoxes Alexander Maximov and

New Circuit Minimization Techniques for Smaller and Faster AES SBoxes Alexander Maximov and

New Circuit Minimization Techniques for Smaller and Faster AES SBoxes Alexander Maximov and Patrik Ekdahl Ericsson Research Patrik Ekdahl Ericsson Research 2019-08-26 Ericsson Internal | 2018-02-21 Plaintext Preliminaries 128 128

529 views • 22 slides
Green Belt Six Sigma Project Report Out Lean Mean Order Processing Machine Three Leaf

Green Belt Six Sigma Project Report Out Lean Mean Order Processing Machine Three Leaf

Green Belt Six Sigma Project Report Out Lean Mean Order Processing Machine Three Leaf Productions Inc July 21, 2016 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov lean.ohio.gov

422 views • 16 slides
Threading 1 Handout written by Nick Parlante Concurrency Trends Faster Computers How is it

Threading 1 Handout written by Nick Parlante Concurrency Trends Faster Computers How is it

CS108, Stanford Handout #23 Autumn 2011 Young Threading 1 Handout written by Nick Parlante Concurrency Trends Faster Computers How is it that computers are faster now than 10 years ago? - Process improvements -- chips are smaller and run

483 views • 13 slides
Green Belt Six Sigma Project Report Out Data Analytics Assessment Project State of Ohio Board

Green Belt Six Sigma Project Report Out Data Analytics Assessment Project State of Ohio Board

Green Belt Six Sigma Project Report Out Data Analytics Assessment Project State of Ohio Board of Pharmacy July 21, 2016 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov lean.ohio.gov

349 views • 13 slides
EE 457 Unit 7a Cache and Memory Hierarchy 2 Memory Hierarchy & Caching Use several

EE 457 Unit 7a Cache and Memory Hierarchy 2 Memory Hierarchy & Caching Use several

1 EE 457 Unit 7a Cache and Memory Hierarchy 2 Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of upper levels More Smaller Faster Expensive Unit of Transfer: Word, Half, or Byte (LW, LH, LB

515 views • 40 slides
Simpler Optimal Algorithm for Contextual Bandits under Realizability Yunzong Xu MIT Joint work

Simpler Optimal Algorithm for Contextual Bandits under Realizability Yunzong Xu MIT Joint work

Bypassing the Monster: A Faster and Simpler Optimal Algorithm for Contextual Bandits under Realizability Yunzong Xu MIT Joint work with David Simchi-Levi (MIT) July 18 RealML @ ICML 2020 Stochastic Contextual Bandits For round = 1,

622 views • 5 slides
Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Recall Cycle-Free Codes and Lattices Lattices from Codes Codes from Lattices Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013

851 views • 55 slides
Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an additive subgroup R n such that Z n ( is free on n generators) b Z R R n ( spans the whole real vector space) # n +

246 views • 7 slides

More recommend