Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-Based Cryptography

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Lattice-Based Cryptography"— Presentation transcript:

1 Lattice-Based Cryptography
Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009

2 Cryptographic Hardness Assumptions
Factoring is hard Discrete Log Problem is hard Diffie-Hellman problem is hard Decisional Diffie-Hellman problem is hard Problems involving Elliptic Curves are hard Many assumptions

3 Why Do We Need More Assumptions?
Number theoretic functions are rather slow Factoring, Discrete Log, Elliptic curves are “of the same flavor” Quantum computers break all number theoretic assumptions

4 Lattice-Based Cryptography
Seemingly very different assumptions from factoring, discrete log, elliptic curves Simple descriptions and implementations Very parallelizable Resists quantum attacks (we think) Security based on worst-case problems

5 Average-Case Assumptions vs. Worst-Case Assumptions
Example: Want to base a scheme on factoring Need to generate a “hard-to-factor” N How? Need a “hard distribution” Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number

6 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

7 Lattice: A discrete additive subgroup of Rn
Lattices Lattice: A discrete additive subgroup of Rn

8 Lattices Basis: A set of linearly independent vectors that generate the lattice.

9 Lattices Basis: A set of linearly independent vectors that generate the lattice.

10 Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors

11 Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors

12 Approximate Shortest Independent Vector Problem
Find n pretty short linearly independent vectors

13 Bounded Distance Decoding (BDD)
Given a target vector that's close to the lattice, find the nearest lattice vector

14 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

15 Small Integer Solution Problem (SIS) Learning With Errors
SIVP BDD Worst-Case quantum Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

16 Small Integer Solution Problem
Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm = in Zqn Observations: If size of zi is not restricted, then the problem is trivial Immediately implies a collision-resistant hash function

17 Small Integer Solution
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

18 Collision-Resistant Hash Function
Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression Collision: a1z1 + … + amzm = a1y1 + … + amym So, a1(z1-y1) + … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}

19 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

20 Small Integer Solution Problem (SIS) Learning With Errors
SIVP BDD Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

21 For Any Lattice ... Consider the distribution obtained by:
1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point

22 One-Dimensional Gaussian Distribution

23 Two-Dimensional Gaussian Distribution
Image courtesy of wikipedia

24 Gaussians on Lattice Points
Image courtesy of Oded Regev

25 Gaussians on Lattice Points
Image courtesy of Oded Regev

26 Gaussians on Lattice Points
Image courtesy of Oded Regev

27 Gaussians on Lattice Points
Image courtesy of Oded Regev

28 Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution

29 Worst-Case to Average-Case Reduction

30 Worst-Case to Average-Case Reduction

31 Worst-Case to Average-Case Reduction
2 1 2 1 2 1 1 2 1 2 1 2 1 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0n in n dimensional lattices)

32 How to use the SIS oracle to find a short vector in any lattice:
2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point

33 How to use the SIS oracle to find a short vector in any lattice:
2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point

34 All the samples are uniform in Zqn
2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Zqn

35 How to use the SIS oracle to find a short vector in any lattice:
2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0

36 s1z1+...+smzm is a lattice vector
2 1 2 1 2 1 1 2 1 2 1 2 1 Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi s1z1+...+smzm is a lattice vector (v1+r1)z1+...+(vm+rm)zm is a lattice vector (v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice vector So r1z1+...+rmzm is a lattice vector = si vi + ri = si

37 So r1z1+...+rmzm is a lattice vector
2 1 2 1 2 1 1 2 1 2 1 2 1 Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi So r1z1+...+rmzm is a lattice vector ri are short vectors, zi are in {-1,0,1} So r1z1+...+rmzm is a short lattice vector = si vi + ri = si

38 Some Technicalities You can’t sample a “uniformly random” lattice point In the proofs, we work with Rn / L rather than Rn So you don't need to sample a random point lattice point What if r1z1+...+rmzm is 0? Can show that with high probability it isn't Given an si, there are multiple possible ri Gaussian sampling doesn’t give us points on the grid You can round to a grid point Must be careful to bound the “rounding distance”

39 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

40 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

41 Learning With Errors Problem
Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 a1, b1 a2, b2 s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq

42 Learning With Errors Problem
. . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)

43 Learning With Errors Problem
+ = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random

44 Public Key Encryption Based on LWE
Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)

45 Proof of Semantic Security
b r A r b + = + z(q/2) If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z

46 Decryption A s e b r A r b + = n m
+ z(q/2) Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

47 Lattices in Practice Lattices have some great features
Very strong security proofs The schemes are fairly simple Relatively efficient But there is a major drawback Schemes have very large keys

48 Hash Function Description of the hash function: a1,...,am in Zqn
Input: Bit-string z1...zm in {0,1}: a1 a2 am h(z1...zm) = z1 + z2 + … + zm Sample parameters: n=64, m=1024, p=257 Domain size: (1024 bits) Range size: (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits

49 Public-Key Cryptosystem
(Textbook) RSA: Key-size: ≈ 2048 bits Ciphertext length (2048 bit message): ≈ bits LWE-based scheme: Key-size: ≈ 600,000 bits Ciphertext length (2048 bit message): ≈ 40,000 bits

50 Source of Inefficiency
z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 h(z) = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 n(log n) 1 1 Require O(n2) storage Computing the function takes O(n2) time

51 A More Efficient Idea z A Now A only requires n(log n) storage
4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 1 n(log n) 1 1 Now A only requires n(log n) storage Az can be computed faster as well

52 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
A More Efficient Idea A z 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

53 Interlude: What is Zp[x]/(xn-1)?
Z = integers Zp=integers modulo p Zp[x] = polynomials with coefficients in Zp Example if p=3: 1+x, 2+x2+x1001 Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp Example if p=3 and n=4: 1+x, 2+x+x2

54 Operations in Zp[x]/(xn-1)?
Addition: Addition of polynomials modulo p Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 Multiplication: Polynomial multiplication modulo p and xn-1 (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x = 2+3x2+x3+1+x = x+x3

55 Multiplication in Zp[x]/(xn-1) as a Matrix/Vector Product
Have polynomials f and g=g0+g1x+g2x2+...gn-1xn-1 f fx fx2 fx3 g0 g1 = g0f+g1fx+g2fx2+g3fx3 = f(g0+g1x+g2x2+g3x3) = fg g2 g3

56 A More Efficient Idea z A
4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT

57 Great, a Better Hash Function!
Sample parameters: n=64, m=1024, p=257 Domain size: (1024 bits) Range size: (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

58 But Is it Hard to Find Collisions?
z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 n(log n) NO!

59 Finding Collisions D R h h R' D'

60 Finding Collisions in Zqn = +
4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q

61 Finding Collisions 4 1 2 7 7 4 1 2 = 2 7 4 1 1 2 7 4 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14

62 Finding Collisions = in Zqn +
4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 = in Zqn + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q

63 Collision-Resistant Hash Function
Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq

64 But … A z = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 n = 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 n(log n) Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r

65 Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions

66 Cyclic Lattices A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

67 Cyclic Lattices=Ideals in Z[x]/(xn-1)
A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

68 (xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

69 What About Hash Functions?
z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 n(log n) Not Collision-Resistant

70 A “Simple” Modification
z 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 n(log n) Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

71 Small Integer Solution Problem (SIS)
Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)

72 (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, its “negative rotation” is also in L -4 3 2 -1 4 1 3 2 1 -4 -4 3 2 -1 1 -3 -4 3 2 -1 1 -3 -2

73 So How Efficient are the Ideal Lattice Constructions?
Collision-resistant hash functions More efficient than any other provably-secure hash function Almost as efficient as the ones used in practice Can only prove collision-resistance Signature schemes Theoretically, very efficient In practice, efficient Key length ≈ 20,000 bits Signature length ≈ 50,000 bits

74 Future Directions Build more primitives (for ideas, go to
Build “theoretically efficient” primitives based on lattices

75 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

76 Future Directions Build more primitives (for inspiration, go to
Build “theoretically efficient” primitives based on lattices Build “cryptomania” primitives on the same assumption as “minicrypt” primitives Build practical primitives using ideal lattices Determine the hardness of ideal lattice problems

77 References (General Lattices)
Worst-Case to Average-Case reductions: To SIS [Ajt96 ,..., MicReg04] To LWE [Reg05] Minicrypt Constructions Hash functions [Ajt96 ,..., MicReg04] ID Schemes [MicVad03, Lyu08, KawTanXag08] Signature Schemes [LyuMic08, GenPeiVai08] Cryptomania Constructions PKE [AjtDwo97,Reg03,Reg05,GenPeiVai08,PeiWat08,Pei09] OT [PeiVai08] Reductions Between Lattice Problems (relevant to this talk) [Ban93,Reg05,LyuMic09]

78 References (Ideal Lattices)
Worst-Case to Average-Case Reductions [Mic02,PeiRos06,LyuMic06] Hash Functions [PeiRos06,LyuMic06,LyuMicPeiRos08] ID schemes [Lyu09] Signature Schemes [LyuMic08,Lyu09,SteSteTanXag09] PKE [Gen09,SteSteTanXag09]

Download ppt "Lattice-Based Cryptography"

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
7. Asymmetric encryption-

7. Asymmetric encryption-
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Lattice-Based Cryptography

Lattice-Based Cryptography
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Similar presentations

Ads by Google