Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Bounded Distance Decoding, Unique Shortest Vectors, and the

Published byClaud York Modified over 6 years ago

Similar presentations

Presentation on theme: "On Bounded Distance Decoding, Unique Shortest Vectors, and the"— Presentation transcript:

1 On Bounded Distance Decoding, Unique Shortest Vectors, and the
Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

2 Lattice: A discrete additive subgroup of Rn
Lattices Lattice: A discrete additive subgroup of Rn

3 Lattices Basis: A set of linearly independent vectors that generate the lattice.

4 Lattices Basis: A set of linearly independent vectors that generate the lattice.

5 Why are Lattices Interesting? (In Cryptography)‏
Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem Possible to base cryptography on worst-case instances of lattice problems

6 SIVP [Ajt '96,...] Minicrypt primitives

7 Shortest Independent Vector Problem (SIVP)‏
Find n short linearly independent vectors

8 Shortest Independent Vector Problem (SIVP)‏
Find n short linearly independent vectors

9 Approximate Shortest Independent Vector Problem
Find n pretty short linearly independent vectors

10 [Ajt '96,...] SIVP Minicrypt primitives [Ban '93] n GapSVP

11 Minimum Distance Problem (GapSVP)‏
Find the minimum distance between the vectors in the lattice

12 Minimum Distance Problem (GapSVP)‏
Find the minimum distance between the vectors in the lattice

13 SIVP [Ajt '96,...] Minicrypt primitives [Ban '93] n GapSVP

14 SIVP GapSVP uSVP Minicrypt primitives n [Ajt '96,...] [Ban '93]
Cryptosystems Ajtai-Dwork '97 Regev '03

15 Unique Shortest Vector Problem (uSVP)‏
Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

16 Unique Shortest Vector Problem (uSVP)‏
Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

17 SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93]
[Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

18 SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93]
(quantum reduction)‏ Cryptosystem Regev '05 ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

19 SIVP GapSVP uSVP Minicrypt primitives n ≈1 [Ajt '96,...] [Ban '93]
(quantum reduction)‏ Cryptosystems Regev '05 Peikert '09 ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

20 SIVP GapSVP BDD uSVP Minicrypt primitives n n (quantum reduction)‏ ≈1
[Ajt '96,...] Minicrypt primitives [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] ≈1 [Reg '03] uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

21 Bounded Distance Decoding (BDD)‏
Given a target vector that's close to the lattice, find the nearest lattice vector

22 SIVP GapSVP BDD uSVP Minicrypt primitives n n (quantum reduction)‏ 1 1
[Ajt '96,...] Minicrypt primitives [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] 1 1 2 uSVP Cryptosystems Ajtai-Dwork '97 Regev '03

23 SIVP GapSVP BDD uSVP Minicrypt primitives Crypto- systems
(quantum reduction)‏ GapSVP BDD uSVP Crypto- systems

24 Cryptosystem Hardness Assumptions
Implications of our results

25 Lattice-Based Primitives
Minicrypt One-way functions [Ajt '96] Collision-resistant hash functions [Ajt '96,MR '07] Identification schemes [MV '03,Lyu '08, KTX '08] Signature schemes [LM '08, GPV '08] Public-Key Cryptosystems [AD '97] (uSVP)‏ [Reg '03] (uSVP)‏ [Reg '05] (SIVP and GapSVP under quantum reductions)‏ [Pei '09] (GapSVP)‏ All Based on GapSVP and SIVP All Based on GapSVP and quantum SIVP Major Open Problem: Construct cryptosystems based on SIVP

26 Reductions GapSVP BDD 1 1 2 uSVP

27 Proof Sketch (BDD < uSVP)‏

28 Proof Sketch (BDD < uSVP)‏

29 Proof Sketch (BDD < uSVP)‏

30 Proof Sketch (BDD < uSVP)‏

31 Proof Sketch (BDD < uSVP)‏

32 Proof Sketch (BDD < uSVP)‏
New basis vector used exactly once in constructing the unique shortest vector

33 Proof Sketch (BDD < uSVP)‏
New basis vector used exactly once in constructing the unique shortest vector

34 Proof Sketch (BDD < uSVP)‏
New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

35 Open Problems Can we construct cryptosystems based on SIVP
(SVP would be even better!)‏ Can the reduction GapSVP < BDD be tightened? Can the reduction BDD < uSVP be tightened?

36 Thanks!

Download ppt "On Bounded Distance Decoding, Unique Shortest Vectors, and the"

Similar presentations

Lattice-based Cryptography

Lattice-based Cryptography
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.

The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Lattice-Based Cryptography

Lattice-Based Cryptography
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
Diophantine Approximation and Basis Reduction

Diophantine Approximation and Basis Reduction

Similar presentations

Ads by Google