Presentation is loading. Please wait.

Presentation is loading. Please wait.

Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert.

Published byBlanche Brittany Burns Modified over 9 years ago

Similar presentations

Presentation on theme: "Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert."— Presentation transcript:

1 Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert

2 Motivation Learning with Errors (LWE) is ■ Lattice-based ■ Similar to well-known coding problems [McE78, Nie86] ■ Secure assuming worst-case hardness [Reg05, Pei09] ■ Extremely versatile ■ Encryption secure against CPA [Reg05, KTX07, PVW08] ■ Encryption secure against CCA [PW08, Pei09] ■ Oblivious Transfer [PVW08] ■ (Hierarchical) Identity-based encryption [GPV08, CHKP10, ABB10] ■ Leakage-resilient encryption [AGV09, ACPS09, DGK+10, GKPV10] ■…■… 18 February 2011 2 CT-RSA 2011 Encryption secure against CPA [Reg05, KTX07, PVW08]

3 Agenda New Scheme New Attack New Parameters 18 February 2011 3 CT-RSA 2011

4 Agenda New Scheme New Attack New Parameters 18 February 2011 4 CT-RSA 2011

5 Learning with Errors[Reg05, Pei09] Given random A in Z q n x m p t = s t A + r t (mod q) s secret r small Gaussian (0,σ 2 ) 18 February 2011 5 CT-RSA 2011 Hardness If σ 2 ≥ 4n then O(nq/σ)-SIVP ≤ Search-LWE Equivalence If q small prime then Search-LWE ≤ Decision-LWE Decision-LWE Distinguish (A, p) from uniform Search-LWE Find r (or s) = p r A s +

6 Encryption Scheme Given random A in Z q n x m p t = s t A + r t (mod q) s secret r small Gaussian (0,σ 2 ) 18 February 2011 6 CT-RSA 2011 Encryption ■ A, p is the public key ■ LWE hides secret key ■ Leftover Hash Lemma hides ciphertext = p r A s + 0 m = e c + A p

7 New Scheme 18 February 2011 7 CT-RSA 2011 = e2e2 + A p e1e1 + c 0 m p = r A + s 0 m = e c + A p = p r A s +

8 New Scheme New Encryption ■ LWE hides secret key and ciphertext ■ Technique similar to [LPS10, Mic10] Advantages ■ Save lg(q) factor on public key A, per-user key p ■ Adaptable to rings 18 February 2011 8 CT-RSA 2011 = e2e2 + A p e1e1 + c 0 m p = r A + s

9 Agenda New Scheme ■ Save lg(q) factor on public and per-user key ■ Adaptable to rings New Attack New Parameters 18 February 2011 9 CT-RSA 2011

10 Agenda New Scheme ■ Save lg(q) factor on public and per-user key ■ Adaptable to rings New Attack New Parameters 18 February 2011 10 CT-RSA 2011

11 LWE Attacks Attack on Decision ■ Find short z in L dual (Az = 0) ■ p t z = s t Az + r t z = r t z small iff p is LWE Given random A in Z q n x m p t = s t A + r t (mod q) s secret r small Gaussian (0, σ 2 ) 18 February 2011 11 CT-RSA 2011 New Attack on Search ■ Find short basis of L ■ Solve bounded distance decoding on p to recover r ■ T Total = T Reduce + T BDD Lattice ■ Set of all s t A (mod q) forms lattice L ■ p is lattice point perturbed by r

12 BDD - Nearest Plane[Bab86] 18 February 2011 12 CT-RSA 2011 b1b1 b2b2 stAstA ptpt

13 BDD - Nearest Planes 18 February 2011 13 CT-RSA 2011 b1b1 b2b2 Recurse twice on b 2 stAstA ptpt

14 Summary Can recurse many times to improve success prob Get many candidate e and check which works Attack tweaks ■ Optimal plane selection for known error distribution ■ Recursions parallelizable Advantages ■ Effective with less reduced basis 18 February 2011 14 CT-RSA 2011

15 Agenda New Scheme ■ Save lg(q) factor on public and per-user key ■ Adaptable to rings New Attack ■ Effective with less reduced bases New Parameters 18 February 2011 15 CT-RSA 2011

16 Agenda New Scheme ■ Save lg(q) factor on public and per-user key ■ Adaptable to rings New Attack ■ Effective with less reduced bases New Parameters 18 February 2011 16 CT-RSA 2011

17 New Parameters 18 February 2011 17 CT-RSA 2011 ParametersSuccessAttack [MR09] New (Planes) Keysize:regular / ringProbabilitylog(secs) Previous [MR09] Per-User key: 2736/ 20 KBits ¼ 1 2 -32 219 33 68 27 New (medium security) Per-User key: 392 / 2 KBits ¼ 1 2 -32 258 96 132 90 Advantages ■ Major improvement for high advantage attack ■ Save 90% on keysize and provide better security

18 Contributions New Scheme ■ Save lg(q) factor on public and per-user key ■ Adaptable to rings New Attack ■ Effective with less reduced bases ■ Major improvement for high advantage attack New Parameters ■ Save 90% on keysize and provide better security 18 February 2011 18 CT-RSA 2011

19 Thank you Further Questions? 18 February 2011 19 CT-RSA 2011

Download ppt "Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
7. Asymmetric encryption-

7. Asymmetric encryption-
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky and Daniel Wichs.
Lattice-Based Cryptography

Lattice-Based Cryptography
Identity Based Encryption

Identity Based Encryption
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Lattices for Distributed Source Coding - Reconstruction of a Linear function of Jointly Gaussian Sources -D. Krithivasan and S. Sandeep Pradhan - University.

Lattices for Distributed Source Coding - Reconstruction of a Linear function of Jointly Gaussian Sources -D. Krithivasan and S. Sandeep Pradhan - University.

Similar presentations

Ads by Google