On Bounded Distance Decoding, Unique Shortest Vectors, and the

Slides:

Advertisements

Similar presentations

Lattice-based Cryptography

Advertisements

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Shortest Vector In A Lattice is NP-Hard to approximate

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Lattices, Cryptography and Computing with Encrypted Data

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

New Lattice Based Cryptographic Constructions

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Lattice-Based Cryptography

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

Diophantine Approximation and Basis Reduction

Ideal Lattices and Ring-LWE

Vadim Lyubashevsky INRIA / ENS, Paris

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

Short course on quantum computing Andris Ambainis University of Latvia.

Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert.

Fast algorithm for the Shortest Vector Problem er (joint with Aggarwal, Dadush, and Stephens-Davidowitz) Oded Regev Courant Institute, NYU UC Irvine, Sloan.

Quantum Algorithms & Complexity

David Cash (UCSD) Dennis Hofheinz (KIT) Eike Kiltz (CWI) Chris Peikert (GA)

Secure Parameters for SWIFFT Johannes Buchmann Richard Lindner.

Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.

Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.

1 The unique-SVP World 1. Ajtai-Dwork’97/07, Regev’03  PKE from worst-case uSVP 2. Lyubashvsky-Micciancio’09  Relations between worst-case uSVP, BDD,

Directions in Practical Lattice Cryptography Vadim Lyubashevsky IBM Research – Zurich.

Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 and 111

Topic 26: Discrete LOG Applications

Computational Fuzzy Extractors

Sampling of min-entropy relative to quantum knowledge Robert König in collaboration with Renato Renner TexPoint fonts used in EMF. Read the TexPoint.

Attack on Fully Homomorphic Encryption over Principal Ideal Lattice

Possible Impact of quantum computing

The Learning With Errors Problem

Knapsack Cryptosystems

Homework 3 As announced: not due today 

Digital Signature Schemes and the Random Oracle Model

Practical Aspects of Modern Cryptography

Background: Lattices and the Learning-with-Errors problem

Lattice Signature Schemes

CS154, Lecture 16: More NP-Complete Problems; PCPs

Equivalence of Search and Decisional (Ring-) LWE

Mitigating Multi-Target-Attacks in Hash-based Signatures

Cryptosystems from unique-SVP lattices Ajtai-Dwork’97/07, Regev’03

CAS CS 538 Cryptography.

Vadim Lyubashevsky INRIA / ENS, Paris

Basis Hung-yi Lee.

Vadim Lyubashevsky IBM Research -- Zurich

Directions in Practical Lattice Cryptography

Lattice Cryptography in the NIST Standardization Process

Security for Distributed Computer Systems

S.Safra I.Dinur G.Kindler

Lattices. Svp & cvp. lll algorithm. application in cryptography

On The Quantitative Hardness of the Closest Vector Problem

Daniel Dadush Centrum Wiskunde & Informatica (CWI) Aussois 2019

CS154, Lecture 16: More NP-Complete Problems; PCPs

Linear Algebra Lecture 41.

SPHINCS+ Submission to the NIST post-quantum project

Parameterized Complexity of Even Set (and others)

New Jersey, October 9-11, 2016 Field of theoretical computer science

Cryptography Lecture 18.

Cryptography Fundamentals

Collapse-binding quantum commitments without random oracles

LAB 3: Digital Signature

Presentation transcript:

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

Lattice: A discrete additive subgroup of Rn Lattices Lattice: A discrete additive subgroup of Rn

Lattices Basis: A set of linearly independent vectors that generate the lattice.

Lattices Basis: A set of linearly independent vectors that generate the lattice.

Why are Lattices Interesting? (In Cryptography)‏ Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem Possible to base cryptography on worst-case instances of lattice problems

SIVP [Ajt '96,...] Minicrypt primitives

Shortest Independent Vector Problem (SIVP)‏ Find n short linearly independent vectors

Shortest Independent Vector Problem (SIVP)‏ Find n short linearly independent vectors

Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

[Ajt '96,...] SIVP Minicrypt primitives [Ban '93] n GapSVP

Minimum Distance Problem (GapSVP)‏ Find the minimum distance between the vectors in the lattice

Minimum Distance Problem (GapSVP)‏ Find the minimum distance between the vectors in the lattice

SIVP [Ajt '96,...] Minicrypt primitives [Ban '93] n GapSVP

SIVP GapSVP uSVP Minicrypt primitives n [Ajt '96,...] [Ban '93] Cryptosystems Ajtai-Dwork '97 Regev '03

Unique Shortest Vector Problem (uSVP)‏ Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

Unique Shortest Vector Problem (uSVP)‏ Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93] [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93] (quantum reduction)‏ Cryptosystem Regev '05 ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93] (quantum reduction)‏ Cryptosystems Regev '05 Peikert '09 ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

SIVP GapSVP BDD uSVP Minicrypt primitives n n (quantum reduction)‏ ≈1 [Ajt '96,...] Minicrypt primitives [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

Bounded Distance Decoding (BDD)‏ Given a target vector that's close to the lattice, find the nearest lattice vector

SIVP GapSVP BDD uSVP Minicrypt primitives n n (quantum reduction)‏ 1 1 [Ajt '96,...] Minicrypt primitives [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] 1 1 2 uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

SIVP GapSVP BDD uSVP Minicrypt primitives Crypto- systems (quantum reduction)‏ GapSVP BDD uSVP Crypto- systems

Cryptosystem Hardness Assumptions Implications of our results

Lattice-Based Primitives Minicrypt One-way functions [Ajt '96] Collision-resistant hash functions [Ajt '96,MR '07] Identification schemes [MV '03,Lyu '08, KTX '08] Signature schemes [LM '08, GPV '08] Public-Key Cryptosystems [AD '97] (uSVP)‏ [Reg '03] (uSVP)‏ [Reg '05] (SIVP and GapSVP under quantum reductions)‏ [Pei '09] (GapSVP)‏ All Based on GapSVP and SIVP All Based on GapSVP and quantum SIVP Major Open Problem: Construct cryptosystems based on SIVP

Reductions GapSVP BDD 1 1 2 uSVP

Proof Sketch (BDD < uSVP)‏

Proof Sketch (BDD < uSVP)‏

Proof Sketch (BDD < uSVP)‏

Proof Sketch (BDD < uSVP)‏

Proof Sketch (BDD < uSVP)‏

Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector

Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector

Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

Open Problems Can we construct cryptosystems based on SIVP (SVP would be even better!)‏ Can the reduction GapSVP < BDD be tightened? Can the reduction BDD < uSVP be tightened?

Thanks!