![Page 1: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/1.jpg)
Some Recent Progress inLattice-Based Cryptography
Chris PeikertSRI
TCC 2009
1 / 17
![Page 2: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/2.jpg)
Lattice-Based Cryptography
N= p · q
y = gx mod p
me mod N
e(ga, gb)
=⇒
Why?
I Simple & efficient: linear, parallelizable
I Resists subexp & quantum attacks (so far)
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 2 / 17
![Page 3: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/3.jpg)
Lattice-Based Cryptography
N= p · q
y = gx mod p
me mod N
e(ga, gb)
=⇒
Why?
I Simple & efficient: linear, parallelizable
I Resists subexp & quantum attacks (so far)
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 2 / 17
![Page 4: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/4.jpg)
Lattice-Based Cryptography
N= p · q
y = gx mod p
me mod N
e(ga, gb)
=⇒
Why?
I Simple & efficient: linear, parallelizable
I Resists subexp & quantum attacks (so far)
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 2 / 17
![Page 5: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/5.jpg)
If We Had 6 Hours. . .
I Worst-case / average-case reductions[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]
I Cryptanalysis & concrete parameters[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]
I Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]
F Efficiency — complements general techniques
!! Functionality — uses ‘extra features’ of ideals
I Complexity of lattice problems
F Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]
F Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]
3 / 17
![Page 6: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/6.jpg)
If We Had 6 Hours. . .
I Worst-case / average-case reductions[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]
I Cryptanalysis & concrete parameters[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]
I Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]
F Efficiency — complements general techniques
!! Functionality — uses ‘extra features’ of ideals
I Complexity of lattice problems
F Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]
F Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]
3 / 17
![Page 7: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/7.jpg)
If We Had 6 Hours. . .
I Worst-case / average-case reductions[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]
I Cryptanalysis & concrete parameters[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]
I Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]
F Efficiency — complements general techniques
!! Functionality — uses ‘extra features’ of ideals
I Complexity of lattice problems
F Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]
F Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]
3 / 17
![Page 8: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/8.jpg)
If We Had 6 Hours. . .
I Worst-case / average-case reductions[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]
I Cryptanalysis & concrete parameters[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]
I Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]
F Efficiency — complements general techniques
!! Functionality — uses ‘extra features’ of ideals
I Complexity of lattice problems
F Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]
F Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]
3 / 17
![Page 9: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/9.jpg)
If We Had 6 Hours. . .
I Worst-case / average-case reductions[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]
I Cryptanalysis & concrete parameters[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]
I Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]
F Efficiency — complements general techniques
!! Functionality — uses ‘extra features’ of ideals
I Complexity of lattice problems
F Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]
F Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]
3 / 17
![Page 10: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/10.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 11: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/11.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 12: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/12.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 13: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/13.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 14: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/14.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 15: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/15.jpg)
This Talk
Hard Avg-Case Problems
CryptoFunctions
AbstractProperties
Applications
Goals1 ‘De-mystify’ lattice-based crypto
2 Advocate a geometric perspective
3 Answer your questions
4 / 17
![Page 16: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/16.jpg)
LatticesI Today: full-rank subgroup L of Zm (x, y ∈ L ⇒ x± y ∈ L; dim span = m)
I Basis B = {b1, . . . , bm} :
L =m∑
i=1
(Z · bi)
(Other representations too . . . )
O
Hard Computational ProblemsI Find ‘relatively short’ (nonzero) vectors
I Estimate geometric quantities (minimum distance, covering radius, . . . )
5 / 17
![Page 17: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/17.jpg)
LatticesI Today: full-rank subgroup L of Zm
I Basis B = {b1, . . . , bm} :
L =m∑
i=1
(Z · bi)
(Other representations too . . . )
O
b1
b2
Hard Computational ProblemsI Find ‘relatively short’ (nonzero) vectors
I Estimate geometric quantities (minimum distance, covering radius, . . . )
5 / 17
![Page 18: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/18.jpg)
LatticesI Today: full-rank subgroup L of Zm
I Basis B = {b1, . . . , bm} :
L =m∑
i=1
(Z · bi)
(Other representations too . . . )
O
b1
b2
Hard Computational ProblemsI Find ‘relatively short’ (nonzero) vectors
I Estimate geometric quantities (minimum distance, covering radius, . . . )
5 / 17
![Page 19: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/19.jpg)
LatticesI Today: full-rank subgroup L of Zm
I Basis B = {b1, . . . , bm} :
L =m∑
i=1
(Z · bi)
(Other representations too . . . ) O
b1
b2
Hard Computational ProblemsI Find ‘relatively short’ (nonzero) vectors
I Estimate geometric quantities (minimum distance, covering radius, . . . )
5 / 17
![Page 20: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/20.jpg)
LatticesI Today: full-rank subgroup L of Zm
I Basis B = {b1, . . . , bm} :
L =m∑
i=1
(Z · bi)
(Other representations too . . . ) O
b1
b2
Hard Computational ProblemsI Find ‘relatively short’ (nonzero) vectors
I Estimate geometric quantities (minimum distance, covering radius, . . . )
5 / 17
![Page 21: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/21.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 22: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/22.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
z1 ·
|a1|
+ z2 ·
|a2|
+
· · ·
+ zm ·
|am
|
=
|0|
∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 23: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/23.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z1, . . . , zm ∈ {0,±1} such that:
z1 ·
|a1|
+ z2 ·
|a2|
+ · · · + zm ·
|am
|
=
|0|
∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 24: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/24.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 25: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/25.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 26: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/26.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 27: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/27.jpg)
A Combinatorial ProblemI Security param n, modulus q: group Zn
q (e.g., q = poly(n))
I Goal: find nontrivial z ∈ {0,±1}m such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Hash Function [Ajtai96,GGH97]
I Set m > n lg q. Define fA : {0, 1}m → Znq
fA(x) = Ax
I Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .
. . . yields solution z = x− x′ ∈ {0,±1}m.
6 / 17
![Page 28: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/28.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
Average / Worst-Case Connection [Ajtai96,. . . ]
⇓approx lattice problems in worst case
7 / 17
![Page 29: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/29.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
Average / Worst-Case Connection [Ajtai96,. . . ]
⇓approx lattice problems in worst case
7 / 17
![Page 30: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/30.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
Average / Worst-Case Connection [Ajtai96,. . . ]
⇓approx lattice problems in worst case
7 / 17
![Page 31: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/31.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
Average / Worst-Case Connection [Ajtai96,. . . ]
Finding ‘short’ nonzero z ∈ L⊥(A)⇓
approx lattice problems in worst case
7 / 17
![Page 32: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/32.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
Average / Worst-Case Connection [Ajtai96,. . . ]
Finding ‘short’ nonzero z ∈ L⊥(A)⇓
approx lattice problems in worst case
7 / 17
![Page 33: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/33.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
x
Average / Worst-Case Connection [Ajtai96,. . . ]
Finding ‘short’ x with (uniform) syndrome u⇓
approx lattice problems in worst case
7 / 17
![Page 34: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/34.jpg)
Geometric PerspectiveI ‘Parity check’ matrix A ∈ Zn×m
q
L⊥(A) = {z ∈ Zm : Az = 0}
I Each x ∈ Zm has syndrome
u = Ax ∈ Znq
I Enlarge domain of fA to . . .. . . still O-W & C-R!
O
(0, q)
(q, 0)
x
Average / Worst-Case Connection [Ajtai96,. . . ]
Finding ‘short’ x with (uniform) syndrome u⇓
approx lattice problems in worst case
7 / 17
![Page 35: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/35.jpg)
Gaussians and Lattices
“Uniform” over Rm when std dev ≥ min basis length
(Used in worst/average-case reductions [Re03,MR04,. . . ])
8 / 17
![Page 36: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/36.jpg)
Gaussians and Lattices
“Uniform” over Rm when std dev ≥ min basis length
(Used in worst/average-case reductions [Re03,MR04,. . . ])
8 / 17
![Page 37: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/37.jpg)
Gaussians and Lattices
“Uniform” over Rm when std dev ≥ min basis length
(Used in worst/average-case reductions [Re03,MR04,. . . ])
8 / 17
![Page 38: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/38.jpg)
Gaussians and Lattices
“Uniform” over Rm when std dev ≥ min basis length
(Used in worst/average-case reductions [Re03,MR04,. . . ])
8 / 17
![Page 39: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/39.jpg)
Discrete Gaussians
I Fix uniform A. Choose Gaussian input x ∈ Zm:
1 Uniform coset/syndrome u = Ax = fA(x)
2 Conditional ‘discrete Gaussian’ DA,u on x, given u
(Analyzed in [Ba93,Re03,AR04,MR04,Re05,PR06,LM06,Pe07,. . . ])
x
9 / 17
![Page 40: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/40.jpg)
Discrete Gaussians
I Fix uniform A. Choose Gaussian input x ∈ Zm:
1 Uniform coset/syndrome u = Ax = fA(x)
2 Conditional ‘discrete Gaussian’ DA,u on x, given u
(Analyzed in [Ba93,Re03,AR04,MR04,Re05,PR06,LM06,Pe07,. . . ])
x
9 / 17
![Page 41: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/41.jpg)
Discrete Gaussians
I Fix uniform A. Choose Gaussian input x ∈ Zm:
1 Uniform coset/syndrome u = Ax = fA(x)
2 Conditional ‘discrete Gaussian’ DA,u on x, given u
(Analyzed in [Ba93,Re03,AR04,MR04,Re05,PR06,LM06,Pe07,. . . ])
9 / 17
![Page 42: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/42.jpg)
Discrete Gaussians
I Fix uniform A. Choose Gaussian input x ∈ Zm:
1 Uniform coset/syndrome u = Ax = fA(x)
2 Conditional ‘discrete Gaussian’ DA,u on x, given u
(Analyzed in [Ba93,Re03,AR04,MR04,Re05,PR06,LM06,Pe07,. . . ])
9 / 17
![Page 43: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/43.jpg)
A ‘Master’ Trapdoor
Suitable ‘trapdoor’⇓
Invert fA in a very strong sense
Theorem [GPV08]
Given any short B and u,
can efficiently sample x← f−1A (u)
according to DA,u
I Dist DA,u leaks nothing about B !
I Generate A with B [Aj99,AP09]
10 / 17
![Page 44: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/44.jpg)
A ‘Master’ Trapdoor
Short basis B of L⊥(A)⇓
Invert fA in a very strong sense
Theorem [GPV08]
Given any short B and u,
can efficiently sample x← f−1A (u)
according to DA,u
I Dist DA,u leaks nothing about B !
I Generate A with B [Aj99,AP09]
10 / 17
![Page 45: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/45.jpg)
A ‘Master’ Trapdoor
Short basis B of L⊥(A)⇓
Invert fA in a very strong sense
Theorem [GPV08]
Given any short B and u,
can efficiently sample x← f−1A (u)
according to DA,u
I Dist DA,u leaks nothing about B !
I Generate A with B [Aj99,AP09]
10 / 17
![Page 46: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/46.jpg)
A ‘Master’ Trapdoor
Short basis B of L⊥(A)⇓
Invert fA in a very strong sense
Theorem [GPV08]
Given any short B and u,
can efficiently sample x← f−1A (u)
according to DA,u
I Dist DA,u leaks nothing about B !
I Generate A with B [Aj99,AP09]
10 / 17
![Page 47: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/47.jpg)
A ‘Master’ Trapdoor
Short basis B of L⊥(A)⇓
Invert fA in a very strong sense
Theorem [GPV08]
Given any short B and u,
can efficiently sample x← f−1A (u)
according to DA,u
I Dist DA,u leaks nothing about B !
I Generate A with B [Aj99,AP09]
10 / 17
![Page 48: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/48.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
fA
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 49: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/49.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
fA
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 50: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/50.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
f−1A
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 51: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/51.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
f−1A
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 52: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/52.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
f−1A
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 53: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/53.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
f−1A
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 54: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/54.jpg)
Abstractly: Preimage Sampleable Function
D R
xu
f−1A
I Generalizes TDPs, claw-free pairs, Rabin, . . .
I Can generate (x, u) in two equivalent ways:
REAL SIMULATION
Rux
f−1A
D x u
fA
I Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .
11 / 17
![Page 55: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/55.jpg)
Onward, to Cryptomania . . .
12 / 17
![Page 56: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/56.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
a1 , b1 = 〈a1 , s〉+ e1
a2 , b2 = 〈a2 , s〉+ e2
...
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 57: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/57.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
a1 , b1
a2 , b2
...
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 58: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/58.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
m
...At
...
,
...b...
= Ats + e
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 59: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/59.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
m
...At
...
,
...b...
= Ats + e
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 60: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/60.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
m
...At
...
,
...b...
= Ats + e
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 61: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/61.jpg)
Learning with Errors
I Goal: distinguish ‘noisy inner products’ from uniform.
m
...At
...
,
...b...
= Ats + e
I Generator matrix At:
L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q}
‘Bounded-distance’ (unique) decoding
I Worst-case hardness [Re05,Pe09]
I Basis of much crypto[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ]
13 / 17
![Page 62: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/62.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 63: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/63.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 64: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/64.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 65: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/65.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉
b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 66: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/66.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 67: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/67.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 68: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/68.jpg)
Key Agreement & Encryption
A
x s, e
u = Ax(public key)
b = Ats + e(ciphertext ‘preamble’)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
(A, u, b, b′)
14 / 17
![Page 69: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/69.jpg)
ID-Based Encryption [GPV08]
A
s, e
u = H(“alice”)(public key)
b = Ats + e(ciphertext randomness)
〈x, b〉 ≈ 〈u, s〉 b′ = 〈u, s〉+ e′
(key / ‘pad’)
x← f−1A (u)
15 / 17
![Page 70: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/70.jpg)
Some Open Areas
1 Hash-and-sign sigs / IBE without random oracle ?
RSA / pairing-style ‘accumulator’ ?
2 More expressive encryption / IBE schemes ?
3 Connections to number-theoretic problems ?
16 / 17
![Page 71: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/71.jpg)
Some Open Areas
1 Hash-and-sign sigs / IBE without random oracle ?
RSA / pairing-style ‘accumulator’ ?
2 More expressive encryption / IBE schemes ?
3 Connections to number-theoretic problems ?
16 / 17
![Page 72: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/72.jpg)
Some Open Areas
1 Hash-and-sign sigs / IBE without random oracle ?
RSA / pairing-style ‘accumulator’ ?
2 More expressive encryption / IBE schemes ?
3 Connections to number-theoretic problems ?
16 / 17
![Page 73: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/73.jpg)
Further Reading
I Survey “Cryptographic functions from worst-case complexityassumptions” [Micciancio07]
I Survey “Lattice-based cryptography” [MicciancioRegev09]
Thanks!
17 / 17
![Page 74: Some Recent Progress in Lattice-Based Cryptographycpeikert/pubs/slides-tcc09.pdf · 2015-09-08 · I Cyclic / Ideallattices [Mi02,PR06,LM06,PR07,LM08,Ge09,...] F Efficiency — complements](https://reader034.vdocuments.site/reader034/viewer/2022042402/5f10c3fe7e708231d44ab609/html5/thumbnails/74.jpg)
Further Reading
I Survey “Cryptographic functions from worst-case complexityassumptions” [Micciancio07]
I Survey “Lattice-based cryptography” [MicciancioRegev09]
Thanks!
17 / 17