Download harmonic

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
Document related concepts

History of statistics wikipedia , lookup

Transcript 
New Lattice Based
Cryptographic Constructions
Oded Regev
1
Lattices
• Basis: v1,…,vn vectors in
Rn
• The lattice is
a1v1+…+anvn for all
integer a1,…,an.
• What is the shortest
vector u ?
2v1 v1+v2
v1
2v2
v2 2v2-v1
2v2-2v1
0
2
Lattices – not so easy
v1
v2
3v1-4v2
0
3
f(n)-unique-SVP (shortest
vector problem)
• Promise: the shortest
vector u is shorter by a
factor of f(n)
• Algorithm for 2n-unique
SVP [LLL82,Schnorr87]
• Believed to be hard for
any nc
nc
1
believed hard
2n
easy
4
History
• Geometric objects with rich structure
• Early work by Gauss 1801, Hermite 1850,
Minkowski 1896
• More recent developments:
– LLL Algorithm - approximates the shortest
vector in a lattice [LenstraLenstraLovàsz82]
• Factoring rational polynomials
• Solving integer programs in a fixed dimension
• Breaking knapsack cryptosystems
– Ajtai’s average case connection [Ajtai96]
• Lattice based cryptosystems
5
Question
Uniform?
Prob
• From which distribution is the following
sequence taken?
478, 21, 431, 897, 150, 701, 929, 232
Or wavy?
1000
Prob
1
1
6
1000
The d,γ-wavy Distribution
Periodization of the normal distribution
R=2^(2n2)
Number of periods is d (usually integer)
Ratio of period to standard dev. is γ
distd : {0,…,R-1}  [0,½] is the normalized
distance from the nearest peak
=γ
d=7
Prob
•
•
•
•
•
0
7
R-1
Main Theorem
• For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem
to
distinguishing between the uniform
distribution and the d,γ-wavy
distributions with an integer d<2^(n2)
8
Average-case Theorem
• For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem
to
distinguishing between the uniform
distribution and the d,γ-wavy
distributions for a non-negligible
fraction of values d in [2^(n2),2•2^(n^2)]
9
Applications of Main Theorem
1. Public key encryption scheme
2. Collision resistant hash function
3. A problem in quantum computation
10
Cryptography
• ‘Standard’ cryptography:
• Usually based on factoring, discrete log,
principal ideal problem
• Average case assumption
• Mostly broken by quantum computers
• Lattice based cryptography [Ajtai96,…]:
• Based on lattice problems
• Worst case assumption
• Still not broken by quantum computers
11
Application 1
Public Key Encryption (PKE)
• Consists of private key, public key,
encryption and decryption
• The Ajtai-Dwork cryptosystem
[AjtaiDwork96,GoldreichGoldwasserHalevi97]
• Previously, the only lattice based PKE with
worst case assumption
• Based on n7-unique Shortest Vector
Problem
12
Application 1
Public Key Encryption (PKE)
• We construct a new lattice based PKE from
the average-case theorem:
• Very simple description
• Improves Ajtai-Dwork to n1.5-unique
Shortest Vector Problem
• Uses integer numbers, very efficient
13
Application 2
Collision Resistant Hash Function
• A function f:{0,1}r{0,1}s with r>s such that
it is hard to find collisions, i.e.,
xy s.t. f(x)=f(y)
• Many previous constructions [Ajtai96,
GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99,
Micciancio02, Micciancio02]
• Our construction is
• The first which is not based on Ajtai’s
iterative step
14
• Somewhat stronger (based on n1.5-uSVP)
Application 3
Quantum Computation
• Quantum computers can break cryptography
based on factoring [Shor96]
• Based on the HSP on Abelian groups
• What about lattice based cryptography?
15
Application 3
Quantum Computation
• Lattice based cryptography can be broken
using the HSP on Dihedral groups [R’02]
• Our main theorem explains the failure of
previous attempts to solve the HSP on
Dihedral groups [EttingerHoyer’00]
16
Main Theorem
• For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem
to
distinguishing between the uniform
distribution and the d,γ-wavy
distributions with an integer d<2^(n2)
17
Proof of the
Main Theorem
18
Proof Outline
n1.5-Unique-SVP
decision problem
promise problem
n-dim distributions
Main theorem
19
Reduction to:
Decision Problem
• Given a n1.5-unique lattice, and a prime p>n1.5
• Assume the shortest vector is:
u = a1v1+a2v2+…+anvn
• Decide whether a1 is divisible by p
20
The Reduction
• Idea: decrease the coefficients of the
shortest vector
• If we find out that p|a1 then we can replace
the basis with pv1,v2,…,vn .
• u is still in the new lattice:
u = (a1/p)•pv1 + a2v2 + … + anvn
• The same can be done whenever p|ai for
some i
21
The Reduction
• But what if p | ai for all i ?
• Consider the basis v1,v2-v1,v3,…,vn
• The shortest vector is
u = (a1+a2)v1 + a2(v2-v1) + a3v3 + … + anvn
• The first coefficient is a1+a2
• Similarly, we can set it to
a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2
• One of them is divisible by p, so we choose it
and continue
22
Proof Outline
n1.5-Unique-SVP

decision problem
promise problem
n-dim distributions
Main theorem
23
Reduction from:
Decision Problem
• Given a n1.5-unique lattice, and a prime p>n1.5
• Assume the shortest vector is:
u = a1v1+a2v2+…+anvn
• Decide whether a1 is divisible by p
24
Reduction to:
Promise Problem
• Given a lattice, distinguish between:
Case 1. Shortest vector is of length 1/n and all
non-parallel vectors are of length more than n
Case 2. Shortest vector is of length more than n
25
The reduction
• Input: a basis (v1,…,vn) of a n1.5 unique lattice
• Scale the lattice so that the shortest vector
is of length 1/n
• Replace v1 by pv1. Let M be the resulting
lattice
• If p | a1 then M has shortest vector 1/n and
all non-parallel vectors more than n
• If p | a1 then M has shortest vector more
than n
26
The input lattice L
L
-u
0 u
2u
27
The lattice M
• The lattice M is spanned by pv1,v2,…,vn:
• If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn 2M :
M
0
u
28
The lattice M
• The lattice M is spanned by pv1,v2,…,vn:
• If p | a1, then u 2 M:
M
-pu
0
pu
29
Proof Outline
n1.5-Unique-SVP

decision problem

promise problem
n-dim distributions
Main theorem
30
Reduction from:
Promise Problem
• Given a lattice, distinguish between:
Case 1. Shortest vector is of length 1/n and all
non-parallel vectors are of length more than n
Case 2. Shortest vector is of length more than n
31
n-dimensional distributions
• Distinguish between the distributions:
?
Wavy
Uniform
32
Dual Lattice
• Given a lattice L, the dual lattice is
L* = { x | 8y2L, <x,y>2Z }
L
L*
0
0
33
L* - the dual of L
L
Case 1
Case 2
L*
0
0
0
34
Reduction
• Choose a point randomly from L*
• Perturb it by a Gaussian of radius n
35
Creating the Distribution
L*
Case 1
L*+ perturb
0
Case 2
36
Analyzing the Distribution
• Theorem: (using [Banaszczyk’93])
The distribution obtained above depends only on
the points in L of distance n from the origin
(up to an exponentially small error)
• Therefore,
Case 1: Determined by multiples of u 
wavy on hyperplanes orthogonal to u
Case 2: Determined by the origin 
uniform
37
Proof of Theorem
• For a set A in Rn, define:
 ( A)  xA e
 x
2
• Poisson Summation Formula implies:
y   ,  ( y  L )  d ( L)  xL e
n
*
2i  x , y 
 ({x})
• Banaszczyk’s theorem:
For any lattice L,
 ( L  n Bn )  2
( n )
 ( L  n Bn )
38
Proof of Theorem (cont.)
• In Case 2, the distribution obtained is very
close to uniform:
y   ,  ( y  L )  d ( L)  xL e
n
*

d ( L)  1  xL {0} e
2i  x , y 
2i  x , y 
 ({x}) 

 ({x})  d ( L)
• Because:

xL {0}
e
2i  x , y 
 ({x})  xL{0}  ({x}) 
 ( L  {0})   ( L  n Bn ) 
2
 ( n )
 ( L  n Bn )  2
( n )
39
Proof Outline
n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions
Main theorem
40
n-dimensional distributions
• Distinguish between the distributions
• Given by an oracle that returns points
inside a cube of side length 2n
?
Wavy
Uniform
41
Main Theorem
• Distinguish between the distributions:
Uniform:
0
R-1
Wavy:
0
42
R-1
Reducing to 1-dimension
• First attempt: sample and project to a line
43
Reducing to 1-dimension
• But then we lose the wavy structure!
• We should project only from points very
close to the line
44
The solution
• Use the periodicity of the distribution
• Project on a ‘dense line’ :
45
The solution
46
The solution
• We choose the line that connects the origin
to e1+Ke2+K2e3…+Kn-1en where K is large
enough
•
•
•
•
The distance between hyperplanes is n
The sides are of length 2n
Therefore, we choose K=2O(n)
Hence, d<O(Kn)=2^(O(n2))
47
Done
n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem
48
From Worst-Case to Average-Case
49
Worst-case vs. Average-case
• Main theorem presents a problem that is
hard in the worst-case: distinguish between
uniform and d,γ-wavy distributions for all
integers d<2^(n2)
• For cryptographic applications, we would like
to have a problem that is hard on the
average: distinguish between uniform and
d,γ-wavy distributions for a non-negligible
fraction of d in [2^(n2), 2•2^(n2)]
50
Compressing
• The following procedure transforms d,γ-wavy
into 2d,γ-wavy for all integer d:
– Sample a from the distribution
– Return either a/2 or (a+R)/2 with probability ½
• In general, for any real a1, we can compress
d,γ-wavy into ad,γ-wavy
• Notice that compressing preserves the
uniform distribution
• We show a reduction from worst-case to
51
average-case
Reduction
• Assume there exists a distinguisher between
uniform and d,γ-wavy distribution for some nonnegligible fraction of d in [2^(n2), 2•2^(n2)]
• Given either a uniform or a d,γ-wavy distribution
for some integer d<2^(n2) repeat the following:
– Choose a in {1,…,2¢2^(n2)} according to a certain
distribution
– Compress the distribution by a
– Check the distinguisher’s acceptance probability
• If for some a the acceptance probability differs
from that of uniform sequences, return ‘wavy’;
otherwise, return ‘uniform’
52
Reduction
• Distribution is uniform:
– After compression it is still uniform
– Hence, the distinguisher’s acceptance probability
equals that of uniform sequences for all a
• Distribution is d,γ-wavy:
– After compression it is in the good range with
some probability
– Hence, for some a, the distinguisher’s
acceptance probability differs from that of
uniform sequences
1
…
d
2^(n2)
…
2¢2^(n2)
53
Application 1
Public Key Encryption Scheme
54
PKE – Description
• Let m=2log2R=4n2
• Private key:
– A real number y chosen uniformly in
[2^(n2),2¢2^(n2)] such that y is close to an
integer (1/100m)
• Public key:
– Choose integers A={a1,…,am} from the y,γ-wavy
distribution with γ=n1+ε
• Lemma: Public keys are indistinguishable
from uniform sequences (based on n1.5+ε
unique-SVP)
55
PKE – Description (cont.)
• Private key: y
• Public key: A={a1,…,am}
• Encryption:
– Bit 0: a number chosen uniformly in {0,…,R-1}
– Bit 1: the sum of a random subset of A mod R
• Decryption of w:
– If disty(w)<1/50 then 1 otherwise 0
56
PKE – Correctness
• Encryption of the bit 0:
– With probability 96%, disty(Sai)>1/50
– These errors can be avoided
• Encryption of the bit 1:
– For a subset S, with high probability,
disty(Sai)<1/100
– Using Sai < m¢R,
disty(Sai mod R)<1/50
57
PKE - Security
• Lemma: If {a1,…,am} is a uniform sequence
then both encryptions of 0 and of 1 are
uniform
• Hence, distinguishing between encryptions of
0 and 1 implies distinguishing between public
keys and uniform sequences!
public key
Enc(0) ?
Enc(1)
uniform
Enc(0)~
Enc(1)
{a1,…,am}
{a1,…,am}
58
PKE – Security
• Lemma: Public keys are indistinguishable
from uniform sequences (based on n1.5+ε
unique-SVP)
• Proof: Follows from the average-case
theorem (since we choose y from a set of
size 1/(50m) of all [2^(n2),2¢2^(n2)])
59
Application 2
Collision Resistant Hash Function
60
Collision Resistant Hash Function
• Choose a1,…,am uniformly in {0,…,R-1} where
m=2log2R=4n2. Then:
b1,…,bm{0,1}, f(b1,…,bm)=Σbiai mod R
• We will see a simpler proof based on n2.5+εuSVP
61
Collision Resistant Hash Function
• Assume there exists a collision finding
algorithm C
• I.e., with non-negligible probability, given
a1,…,am chosen uniformly, C finds c1,…,cm{-1,
0,1} (not all zero) such that
Σaici = 0 (mod R)
62
Collision Resistant Hash Function
• We show how to distinguish between the uniform
and the d,γ-wavy with γ=n2+ε using C
• Choose z uniformly from {0,…,R-1}
• With probability 0.9, distd(z) > 1/20
• Repeat the following enough times:
• Choose a1,…,am from the unknown distribution
• Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k
is chosen uniformly from {1,…,m}
• If ck is always zero or C keeps failing, say ‘wavy’
otherwise ‘uniform’
63
Correctness
• Distribution is uniform:
• a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same
distribution as a uniform sequence
• Therefore, C answers with non-negligible
probability and ck0 with probability at least
1/m
• Distribution is d,γ-wavy:
• W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)
• For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since
m=4n2)
• Therefore, if z has distd(z) > 1/20 then it can
64
never be included in the sum, i.e., ck=0
Application 3
Quantum Computation –
The Dihedral HSP
65
Hidden Subgroup Problem
• Given a function that is constant and distinct
on cosets of HG, find H
• Solved for Abelian groups
• Also for certain non-Abelian groups
[RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulman
VaziraniVazirani’01…]
• Still open for many groups. In particular:
– Symmetric group
– Dihedral group (ZNZ2)
66
Solving Dihedral HSP
• Two approaches:
• Ettinger and Høyer ’00
– Reduction to “Period finding from
samples”
• R ’02, Kuperberg ‘03
– Reduction to average case subset sum
67
Solving Dihedral HSP
• Idea of Ettinger and Høyer:
– Reduce to “Hidden Translation on ZN”:
Given an oracle that outputs states of
the form |xi+|x+di where x is arbitrary
and d is fixed, find d
– Take the Fourier transform
N 1
e
2i ( jx / N )
(1  e
2i ( jd / N )
) | j
j 0
– Measure
68
Period Finding from Samples
• Find the period of the following (cos2)
distribution by sampling:
0
R-1
• [EH] showed that there is enough information
in a polynomial number of samples
• Open question in [EH]: is there an efficient
solution to this problem?
69
Reduction
• Lemma: A distinguisher between cos2 and
the uniform distribution implies a
distinguisher between the wavy and
uniform distribution
70
Guess the period and add noise
71
Reduction
• Corollary: finding the period of the cos2
distribution is hard
• Proof: Since all cos2 distributions look
like uniform, they all look the same
72
Conclusion
• Main theorem
• Average case form
• Applications
– Strong public key encryption scheme
– Collision resistant hash function
– Solution to an open question in quantum
computation
• Other applications?
73
Related documents
x,
x,
1.16. The Vector Space Cn of n-Tuples of Complex Numbers
1.16. The Vector Space Cn of n-Tuples of Complex Numbers
PDF
PDF
FW2004-05
FW2004-05
Geometry Chapter 5 Study Guide
Geometry Chapter 5 Study Guide
Solutions to the Central Limit Theorem Review 1. A) The proportion
Solutions to the Central Limit Theorem Review 1. A) The proportion
Math 130 Worksheet 2: Linear algebra
Math 130 Worksheet 2: Linear algebra
Theorem 3.9
Theorem 3.9
MATH 131 Probability
MATH 131 Probability
Chapter_04_ContinuousDistributions
Chapter_04_ContinuousDistributions
Fermat`s Last Theorem for regular primes
Fermat`s Last Theorem for regular primes
syllabus - Firdevs Ulus
syllabus - Firdevs Ulus
9.53 Sampling Distributions for Self study Suppose that we have two
9.53 Sampling Distributions for Self study Suppose that we have two
Lecture 18
Lecture 18
Shortest Vector In A Lattice is NP-Hard to approximate - CS
Shortest Vector In A Lattice is NP-Hard to approximate - CS