worst case to average case reduction for sis
play

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky - PowerPoint PPT Presentation

Sep 17, 2022 •261 likes •909 views

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

  1. Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012

  2. Session Outline • Average-Case Problems – The Small Integer Solution (SIS) problem • Gaussian Distributions and Lattices • Reducing a Worst-Case Lattice Problem to SIS Lattice-Based Crypto & Applications 2 Bar-Ilan University Israel 2012

  3. THE AVERAGE-CASE PROBLEMS Lattice-Based Crypto & Applications 3 Bar-Ilan University, Israel 2012

  4. Lattice Problems Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 4 Bar-Ilan University Israel 2012

  5. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 5 Bar-Ilan University Israel 2012

  6. Small Integer Solution Problem n Given: Random vectors a 1 ,...,a m in Z q Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n z 1 in Z q 0 a 1 a 2 a m + z 2 z m + … + = Observations:  If size of z i is not restricted, then the problem is trivial  Immediately implies a collision-resistant hash function  A relationship to lattices emerges … Lattice-Based Crypto & Applications 6 Bar-Ilan University Israel 2012

  7. Relationship of SIS to Lattice Problems Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n in Z q z 1 0 a 1 a 2 a m + z 2 + … + z m = Let S be the set of all integer z =(z 1 ,…, z m ), such that a 1 z 1 + … + a m z m =0 mod q S is a lattice! SIS problem asks to find a short vector in S. Lattice-Based Crypto & Applications 7 Bar-Ilan University, Israel 2012

  8. Representing Lattices L ⊥ ( A ) = { z in Z m : Az = 0 mod q} L( B ) = { z : z = Bx for x in Z n } B x z = z = 0 mod q A Worst-Case to Average-Case Reduction: Approximately solving SIVP in all lattices < Finding short vectors in these lattices (m ≈ nlog n) Lattice-Based Crypto & Applications 8 Bar-Ilan University, Israel 2012

  9. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 9 Bar-Ilan University Israel 2012

  10. Collision-Resistant Hash Functions For a random h in H, H It is hard to find: x 1 , x 2 in D such that D R h(x 1 ) = h(x 2 ) Lattice-Based Crypto & Applications 10 Bar-Ilan University Israel 2012

  11. Collision-Resistant Hash Function n Given: Random vectors a 1 ,...,a m in Z q Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n in Z q z 1 0 a 1 a 2 a m + z 2 z m + … + = A =( a 1 ,..., a m ) Define h A : {0,1} m → Z q n where h A ( z 1 ,..., z m )= a 1 z 1 + … + a m z m Domain of h = {0,1} m (size = 2 m ) Range of h = Z q n (size = q n ) Set m>nlog q to get compression Collision: a 1 z 1 + … + a m z m = a 1 y 1 + … + a m y m So, a 1 (z 1 -y 1 ) + … + a m (z m -y m ) = 0 and z i -y i are in {-1,0,1} Lattice-Based Crypto & Applications 11 Bar-Ilan University Israel 2012

  12. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 12 Bar-Ilan University Israel 2012

  13. THE GAUSSIAN (NORMAL) DISTRIBUTION Lattice-Based Crypto & Applications 13 Bar-Ilan University, Israel 2012

  14. Definition 1-dimensional Gaussian distribution: ρ s (x) = (1/s) e - π x 2 /s 2 It’s a Normal distribution: Centered at 0 Standard deviation: s/√ 2 π Lattice-Based Crypto & Applications 14 Bar-Ilan University, Israel 2012

  15. Example (s=1) Lattice-Based Crypto & Applications 15 Bar-Ilan University, Israel 2012

  16. Example (s=1 and 5) Lattice-Based Crypto & Applications 16 Bar-Ilan University, Israel 2012

  17. 2-Dimensional Gaussian 1-dim gaussian on the x 1 axis: 2 /s 2 ρ s (x 1 ) = (1/s) e - π x 1 1-dim gaussian on the x 2 axis: 2 /s 2 ρ s (x 2 ) = (1/s) e - π x 2 ρ s (x 1 ,x 2 ) = ρ s (x 1 ) ∙ ρ s (x 2 ) 2 /s 2 ∙ (1/s)e - π x 2 2 /s 2 = (1/s)e - π x 1 = (1/s) 2 e - π (x 1 2 + x 2 2 )/s 2 | 2 /s 2 ρ s ( x ) = (1/s) 2 e - π | | x | Lattice-Based Crypto & Applications 17 Bar-Ilan University, Israel 2012

  18. 2-Dimensional Example Lattice-Based Crypto & Applications 18 Bar-Ilan University, Israel 2012

  19. n-Dimensional Gaussian n-dimensional Gaussian distribution: | 2 /s 2 ρ s ( x ) = (1/s) n e - π | | x | It’s an n -dimensional Normal distribution: Centered at 0 Standard deviation: s/√ 2 π Lattice-Based Crypto & Applications 19 Bar-Ilan University, Israel 2012

  20. Useful Properties of the Gaussian Distribution 1. It is a Product Distribution 2. It is Spherically-Symmetric 3. It is “uniform” modulo parallelepipeds Lattice-Based Crypto & Applications 20 Bar-Ilan University, Israel 2012

  21. Product Distribution ρ s ( x ) = ρ s (x 1 ) ∙ … ∙ ρ s (x n ) Lattice-Based Crypto & Applications 21 Bar-Ilan University, Israel 2012

  22. Spherically Symmetric | 2 /s 2 ρ s ( x )= (1/s) n e - π | | x | The probability of x only depends on its length The distribution is “axis - independent” Lattice-Based Crypto & Applications 22 Bar-Ilan University, Israel 2012

  23. Generating Uniform Elements on a Line Segment ρ s (x)= (1/s) e - π x 2 /s 2 and s=5M, for some positive M if X ~ ρ s , then for all m < M, Δ (X mod m , Uniform [0, m) ) < 2 -110 Lattice-Based Crypto & Applications 23 Bar-Ilan University, Israel 2012

  24. Example (s=1,m=1) Lattice-Based Crypto & Applications 24 Bar-Ilan University, Israel 2012

  25. Example (s=1,m=1, .9, .8) Lattice-Based Crypto & Applications 25 Bar-Ilan University, Israel 2012

  26. Example (s=2) Lattice-Based Crypto & Applications 26 Bar-Ilan University, Israel 2012

  27. Example (s=5, m=1) Lattice-Based Crypto & Applications 27 Bar-Ilan University, Israel 2012

  28. Generating Uniform Elements in an n-dimensional Parallelepiped Reducing modulo a parallelepiped Lattice-Based Crypto & Applications 28 Bar-Ilan University, Israel 2012

  29. Generating Uniform Elements in an n-Dimensional Box Box B with dimensions (m 1 , … , m n ), all m i < M. Generate X 1 , … , X n ~ ρ s (x) = (1/s) e - π x 2 /s 2 , where s=5M For each j, Δ (X j mod m , Uniform [0, m j ) ) < 2 -110 Thus Δ ((X 1 mod m 1 , … , X n mod m n ) , Uniform( B )) < n2 -110 | 2 /s 2 for s=5M, Δ ( X mod B , Uniform( B )) < n2 -110 ≈ 0 So, if X ~ ρ s ( x ) = (1/s) n e - π | | x | m 2 B m 1 Lattice-Based Crypto & Applications 29 Bar-Ilan University, Israel 2012

  30. Generating Uniform Elements in a Rotated n-Dimensional Box | 2 /s 2 is a spherical distribution ρ s ( x ) = (1/s) n e - π | | x | So rotating axes doesn’t affect it Lattice-Based Crypto & Applications 30 Bar-Ilan University, Israel 2012

  31. Generating Uniform Elements in a Rotated n-Dimensional Box | 2 /s 2 is a spherical distribution ρ s ( x ) = (1/s) n e - π | | x | So rotating axes doesn’t affect it Thus, Δ ( X mod B’ , Uniform( B’ )) ≈ 0 Lattice-Based Crypto & Applications 31 Bar-Ilan University, Israel 2012

  32. Generating Uniform Elements in Parallelepipeds | 2 /s 2 Suppose we have X ~ ρ s ( x ) = (1/s) n e - π | | x | and X mod A is uniform Is X uniform modulo B ? Lattice-Based Crypto & Applications 32 Bar-Ilan University, Israel 2012

  33. Generating Uniform Elements in Parallelepipeds If B is much bigger than A (i.e. has a bigger determinant), then probably NO. Lattice-Based Crypto & Applications 33 Bar-Ilan University, Israel 2012

  34. Generating Uniform Elements in Parallelepipeds If B is much bigger than A (i.e. has a bigger determinant), then probably NO. But what if B = AU when det( U )=1? Still … not necessarily. A B Lattice-Based Crypto & Applications 34 Bar-Ilan University, Israel 2012

  35. Generating Uniform Elements in Parallelepipeds If B = AU and det( U )=1, then X mod A is uniform  X mod B is uniform if: 1.) U is an integer matrix or 2.) U is an upper-triangular matrix with 1 ’s on the diagonal Lattice-Based Crypto & Applications 35 Bar-Ilan University, Israel 2012

  36. Some Simplifying Assumptions Pretend that the space R n is divided into a very very fine grid. Any two parallelepipeds that have the same determinant have the same number of grid points inside them. Lattice-Based Crypto & Applications 36 Bar-Ilan University, Israel 2012

Recommend

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design &amp; Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research) Damien Scieur (Samsung SAIT AI Lab, Montral) International Conference on Machine Learning 2020 Complexity Analysis in Optimization Worst-case

271 views • 12 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if... SAT is hard in the worst case, BUT... generating hard random instances of SAT is hard? Lipton, 1993 worst-case versus average-case complexity 1.

481 views • 22 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

Worst-Case vs. Average Case CSE 473: Artificial Intelligence Expectimax, Uncertainty, Utilities max min 10 10 9 100 Dieter Fox [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

394 views • 8 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert Manuel Heusner University of Basel July 19th, 2018 Introduction Theoretical Results Experimental Results Conclusion Motivation A [Hart et

535 views • 22 slides
From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms Maria-Florina Balcan, PI Avrim Blum, Co-PI Tom M Mitchell, Co-PI Students Travis Dick Nika Haghtalab Hongyang Zhang Motivation Machine learning

443 views • 22 slides
Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B: Heapsort and Quicksort I sorts in place , is stable Kyriakos Kalorkoti mergeSort I worst-case running time: ( n lg ( n )) School of Informatics

334 views • 4 slides
Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running

Algorithm Analysis: Big O Notation Determine the running time of simple algorithms Best case Average case Worst case Profile algorithms

1.28k views • 82 slides
The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case:

The problem with binary search trees Height-balanced trees AVL trees Search time average case: lg( n ) Tyler Moore Search time worst case: n Can you construct such a tree? CS 2123, The University of Tulsa Solution: height-balanced binary trees

212 views • 4 slides
Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement quicksort derive the average case runtime of quick sort and similar algorithms Q1-3 Q1 For any recurrence relation in in th the f form :

329 views • 18 slides
Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement quicksort derive the average case runtime of quick sort and similar algorithms Q1-3 Q1 For any recurrence relation in e form : in th the f

354 views • 19 slides
Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan

Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan

Binary Search Tree Remove Todays announcements: PA2 available soon Todays Plan Average height of BST Remove Warm up: Worst case time to perform find in a BST with n nodes: Worst case time to perform n inserts into an empty BST:

364 views • 15 slides
On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud &amp; Carine

On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud &amp; Carine

On the Worst-Case Complexity of Timsort Nicolas Auger, Vincent Jug, Cyril Nicaud &amp; Carine Pivoteau LIGM Universit Paris-Est Marne-la-Valle &amp; CNRS 20/08/2018 N. Auger, V. Jug, C. Nicaud &amp; C. Pivoteau On the Worst-Case

1.11k views • 67 slides
Uncertainty and Utilities School of Data Science, Fudan

Uncertainty and Utilities School of Data Science, Fudan

DATA130008 Introduction to Artificial Intelligence Uncertainty and Utilities School of Data Science, Fudan University March 20 th , 2019 Uncertain Outcomes Worst-Case vs. Average Case max min 10 10 9

669 views • 32 slides

More recommend