Oded Regev - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Oded Regev

Description:

On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Oded Regev Tel-Aviv University Outline Basis: v1, ,vn vectors in Rn The lattice L is ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 50
Provided by: cimsNyuEd6
Learn more at: https://cims.nyu.edu
Category:

less

Transcript and Presenter's Notes

Title: Oded Regev


1
On Lattices, Learning with Errors, Random
Linear Codes, and Cryptography
Oded Regev Tel-Aviv University
2
Outline
3
Lattices
  • Basis
  • v1,,vn vectors in Rn
  • The lattice L is
  • La1v1anvn ai integers
  • The dual lattice of L is
  • Lx 8 y2L, hx,yi 2 Z

v1v2
2v2
2v1
2v2-v1
v1
v2
2v2-2v1
0
4
Shortest Vector Problem (SVP)
  • SVP Given a lattice, find an approximately
    shortest vector

v2
v1
0
5
Closest Vector Problem (CVPd)
  • CVPd Given a lattice and a target vector within
    distance d, find the closest lattice point

0
6
Main TheoremHardness of Learning
7
Learning from parity with error
8
Learning from parity with error
9
Learning modulo p
10
Learning modulo p
11
Main Theorem
12
Equivalent formulation
13
Why Quantum?
14
Why Quantum?
x
y
15
ApplicationNew Public Key Encryption Scheme
16
Previous lattice-based PKESAjtaiDwork96,Goldreic
hGoldwasserHalevi97,R03
17
Ajtais recent PKES Ajtai05
18
New lattice-based PKESThis work
19
The Cryptosystem
21 02 10 23 1 11 22 20 33
2 01 22 00 33 1 11 22 00 23
0 01 32 10 33 3 31 32 00
23 2
2 0 1 2 1 2 2 3 0 2
0 3 1 2 0 2 0 3 1
3 3 3 0 2
2? 0? 1? 2? 1 1? 2? 2? 3?
2 0? 2? 0? 3? 1 1? 2? 0? 2?
0 0? 3? 1? 3? 3 3? 3? 0?
2? 2
21 02 10 23 0 11 22 20 33
2 01 22 00 33 1 11 22 00 23
3 01 32 10 33 3 31 32 00
23 3
3? 2? 1? 0? 3
20
Proof of the Main TheoremOverview
21
Gaussian Distribution
22
The Reduction
23
Dr
24
Dr/2
25
Obtaining Dr/2 from Dr
p2vn
26
Classical, uses learning oracle Quantum
Samples from Dr in L
Solution to CVPp/r in L
Samples from Dr/2 in L
Solution to CVP2p/r in L
Samples from Dr/4 in L
Solution to CVP4p/r in L
27
Fourier Transform
Primal world (L)
Dual world (L)
28
Fourier Transform
29
Proof of the Main TheoremLemma 2 Obtaining
Dvn/d from CVPd
30
From CVPd to Dvn/d
31
From CVPd to Dvn/d
32
From CVPd to Dvn/d
33
Proof of the Main TheoremLemma 1 Solving
CVPp/r given samples from Dr and an oracle for
learning mod p
34
Its enough to approximate fp/r
35
Whats ahead in this part
36
Warm-up approximating f1/r
37
(No Transcript)
38
Fourier Transform
39
Approximating f2/r
40
Approximating f2/r
41
(No Transcript)
42
(No Transcript)
43
Approximating f2/r
44
Approximating f2/r
hs,t1i ¼dhx,w1ic mod 2 hs,t2i ¼dhx,w2ic mod
2 hs,t3i ¼dhx,w3ic mod 2 . . .
45
Approximating f2/r
46
Open Problems 1/4
47
Open Problems 2/4
48
Open Problems 3/4
  • Cryptanalysis
  • Current attacks limited to low dimension
    NguyenStern98
  • New systems Ajtai05,R05 are efficient and can
    be easily used with dimension 100
  • Security against chosen-ciphertext attacks
  • Known lattice-based cryptosystems are not secure
    against CCA

49
Open Problems 4/4
  • Comparison with number theoretic cryptography
  • E.g., can one factor integers using an oracle for
    n-approximate SVP?
  • Signature schemes
  • Can one construct provably secure lattice-based
    signature schemes?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Oded Regev" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!