Upload File

1 the unique-svp world 1. ajtai-dwork’97/07, regev’03 pke from worst-case usvp 2....

  • Home
  • Documents
  • 1 The unique-SVP World 1. Ajtai-Dwork’97/07, Regev’03 PKE from worst-case uSVP 2. Lyubashvsky-Micciancio’09 Relations between worst-case uSVP, BDD,
Download 1 The unique-SVP World 1. Ajtai-Dwork’97/07, Regev’03 PKE from worst-case uSVP 2. Lyubashvsky-Micciancio’09 Relations between worst-case uSVP, BDD,

If you can't read please download the document

Upload: felix-nash

Post on 18-Jan-2018

218 views

Category:

Documents


0 download

Report

DESCRIPTION

3 “Worst-case Distinguisher” Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition AD97 PKE bit-by-bit n-dimensional Leftover hash lemma Worst-case Search u-SVP Regev03: “Hensel lifting” AD97: Geometric Ajtai-Dwork & Regev’03 PKEs AD07 PKE O(n)-bits n-dimensional Regev03 PKE bit-by-bit 1-dimensional Projecting to a line Amortizing by adding dimensions Nearly-trivial worst-case/average-case reductions

TRANSCRIPT

1 The unique-SVP World 1. Ajtai-Dwork97/07, Regev03 PKE from worst-case uSVP 2. Lyubashvsky-Micciancio09 Relations between worst-case uSVP, BDD, GapSVP Many slides stolen from Oded Regev, denoted by Shai Halevi, IBM, July 2009 2 Promise: the shortest vector u is shorter by a factor of f(n) Algorithm for 2 n -unique SVP [LLL82,Schnorr87] Believed to be hard for any polynomial n c f(n)-unique-SVP 1 f(n) 1 2n2n believed hardeasy ncnc 3 Worst-case Distinguisher Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition AD97 PKE bit-by-bit n-dimensional Leftover hash lemma Worst-case Search u-SVP Regev03: Hensel lifting AD97: Geometric Ajtai-Dwork & Regev03 PKEs AD07 PKE O(n)-bits n-dimensional Regev03 PKE bit-by-bit 1-dimensional Projecting to a line Amortizing by adding dimensions Nearly-trivial worst-case/average-case reductions 4 n-dimensional distributions ? Wavy Uniform Distinguish between the distributions: (In a random direction) 5 Given a lattice L, the dual lattice is L * = { x | for all y L, Z } L * = { x | for all y L, Z } Dual Lattice 0 1/5 L L*L* 0 5 6 L * - the dual of L 0 L 0 nn 1/n nn L*L* 0 n Case 1 Case 2 7 Input: a basis B* for L* Produce a distribution that is: Wavy if L has unique shortest vector (|u| 1/n) Wavy if L has unique shortest vector (|u| 1/n) Uniform (on P(B*)) if 1 (L) > n Uniform (on P(B*)) if 1 (L) > n Choose a point from a Gaussian of radius n, and reduce mod P(B*) Conceptually, a random L* point with a Gaussian( n) perturbation Conceptually, a random L* point with a Gaussian( n) perturbation Reduction 8 Creating the Distribution L*L* 0 n L * + perturb Case 1 Case 2 9 Theorem: (using [Banaszczyk93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) Therefore, Case 1: Determined by multiples of u wavy on hyperplanes orthogonal to u Case 2: Determined by the origin uniform Analyzing the Distribution 10 For a set A in R n, define: Poisson Summation Formula implies: Banaszczyks theorem: For any lattice L, Proof of Theorem 11 In Case 2, the distribution obtained is very close to uniform: Because: Proof of Theorem (cont.) 12 next Worst-case Distinguisher Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition Worst-case Search u-SVP Regev03: Hensel lifting AD97: Geometric Ajtai-Dwork & Regev03 PKEs 13 Reminder: L* lives in hyperplanes We want to identify u Using an oracle that distinguishes wavy distributions from uniform in P(B*) Using an oracle that distinguishes wavy distributions from uniform in P(B*) u H0H0 H1H1 H -1 Distinguish Search, AD97 14 The plan 1. Use the oracle to distinguish points close to H 0 from points close to H 1 2. Then grow very long vectors that are rather close to H 0 3. This gives a very good approximation for u, then we use it to find u exactly 15 Distinguishing H 0 from H 1 Input: basis B* for L*, ~length of u, point x And access to wavy/uniform distinguisher And access to wavy/uniform distinguisher Decision: Is x 1/poly(n) close to H 0 or to H 1 ? Choose y from a wavy distribution near L* y = Gaussian( )* with < 1/2|u| y = Gaussian( )* with < 1/2|u| Pick R [0,1], set z = x + y mod P(B*) Ask oracle if z is drawn from wavy or uniform distribution * Gaussian( ): variance 2 in each coordinate 16 Distinguishing H 0 from H 1 (cont.) x Case 1: x close to H 0 x also close to H 0 x + y mod P(B*) close to L*, wavy H0H0 17 Distinguishing H 0 from H 1 (cont.) x Case 2: x close to H 1 x in the middle between H 0 and H 1 Nearly uniform component in the u direction Nearly uniform component in the u direction x + y mod P(B*) nearly uniform in P(B*) H0H0 H1H1 18 Repeat poly(n) times, take majority Boost the advantage to near-certainty Boost the advantage to near-certainty Below we assume a perfect distinguisher Close to H 0 always says NO Close to H 0 always says NO Close to H 1 always says YES Close to H 1 always says YES Otherwise, there are no guarantees Otherwise, there are no guarantees Except halting in polynomial timeExcept halting in polynomial time Distinguishing H 0 from H 1 (cont.) 19 Growing Large Vectors Start from some x 0 between H -1 and H +1 e.g. a random vector of length 1/|u| e.g. a random vector of length 1/|u| In each step, choose x i s.t. |x i | ~ 2|x i-1 | |x i | ~ 2|x i-1 | x i is somewhere between H -1 and H +1 x i is somewhere between H -1 and H +1 Keep going for poly(n) steps Result is x* between H 1 with |x*|=N/|u| Very large N, e.g., N=2 n Very large N, e.g., N=2 n well see how in a minute 2 20 From x i-1 to x i Try poly(n) many candidates: Candidate w = 2x i-1 + Gaussian(1/|u|) For j = 1,, m=poly(n) w j = j/m w w j = j/m w Check if w j is near H 0 or near H 1 Check if w j is near H 0 or near H 1 If none of the w j s is near H 1 then accept w and set x i = w Else try another candidate w=w m w1w1 w2w2 21 From x i-1 to x i : Analysis x i-1 between H 1 w is between H n Except with exponentially small probability Except with exponentially small probability w is NOT between H 1 some w j near H 1 So w will be rejected So w will be rejected So if we make progress, we know that we are on the right track 22 From x i-1 to x i : Analysis (cont.) With probability 1/poly(n), w is close to H 0 The component in the u direction is Gaussian with mean < 2/|u| and variance 1/|u| 2 The component in the u direction is Gaussian with mean < 2/|u| and variance 1/|u| 2 2x i-1 H0H0 H1H1 noise 23 From x i-1 to x i : Analysis (cont.) With probability 1/poly, w is close to H 0 The component in the u direction is Gaussian with mean < 2/|u| and standard deviation 1/|u| The component in the u direction is Gaussian with mean < 2/|u| and standard deviation 1/|u| w is close to H 0, all w j s are close to H 0 So w will be accepted So w will be accepted After polynomially many candidates, we will make progress whp 24 Finding u Find n-1 x*s x* t+1 is chosen orthogonal to x* 1,,x* t x* t+1 is chosen orthogonal to x* 1,,x* t By choosing the Gaussians in that subspace By choosing the Gaussians in that subspace Compute u {x* 1,,x* n-1 }, with |u |=1 u is exponentially close to u/|u| u is exponentially close to u/|u| u/|u| = (u +e), |e|=1/Nu/|u| = (u +e), |e|=1/N Can make N 2 n (e.g., N=2 n )Can make N 2 n (e.g., N=2 n ) Diophantine approximation to solve for u 2 (slide 71) 25 Worst-case Distinguisher Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition AD97 PKE bit-by-bit n-dimensional Worst-case/average-case +leftover hash lemma Worst-case Search u-SVP Regev03: Hensel lifting AD97: Geometric Ajtai-Dwork & Regev03 PKEs next (slide 47) 26 Average-case Distinguisher Intuition: lattice only matters via the direction of u Security parameter n, another parameter N A random u in n-dim. unit sphere defines D u (N) = disceret-Gaussian(N) in one dimension = disceret-Gaussian(N) in one dimension Defines a vector x= u/, namely x u and = Defines a vector x= u/, namely x u and = y = Gaussian(N) in the other n-1 dimensions y = Gaussian(N) in the other n-1 dimensions e = Gaussian(n -4 ) in all n dimensions e = Gaussian(n -4 ) in all n dimensions Output x+y+e Output x+y+e The average-case problem Distinguish D u (N) from G(N)=Gaussian(N)+Gaussian(n -3 ) Distinguish D u (N) from G(N)=Gaussian(N)+Gaussian(n -3 ) For a noticeable fraction of us For a noticeable fraction of us 27 Worst-case/average-case (cont.) Thm: Distinguishing D u (N) from Uniform Distinguishing Wavy B* from Uniform B* for all B* When you know 1 (L(B)) upto (1+1/poly(n) -factor When you know 1 (L(B)) upto (1+1/poly(n) -factor For parameter N = 2 (N) For parameter N = 2 (N) Pf: Given B*, scale it s.t. 1 (L(B)) [1,1+1/poly) Also apply random rotation Given samples x (from Uniform B* / Wavy B* ) Sample y=discrete-Gaussian B* (N) Sample y=discrete-Gaussian B* (N) Can do this for large enough NCan do this for large enough N Output z=x+y Output z=x+y Clearly z is close to G(N) /D u (N) respectively 28 The AD97 Cryptosystem Secret key: a random u unit sphere Public key: n+m+1 vectors (m=8n log n) b 1,b n D u (2 n ), v 0,v 1,,v m D u (n2 n ) b 1,b n D u (2 n ), v 0,v 1,,v m D u (n2 n ) So, ~ integerSo, ~ integer We insist on ~ odd integerWe insist on ~ odd integer Will use P(b 1,b n ) for encryption Need P(b 1,b n ) with width > 2 n /n Need P(b 1,b n ) with width > 2 n /n 29 The AD97 Cryptosystem (cont.) Encryption( ): c random-subset-sum(v 1,v m ) + v 0 /2 output c = (c +Gaussian(n -4 )) mod P(B) Decryption(c): If is closer than to integer say 0, else say 1 Correctness due to, ~integer and width of P(B) and width of P(B) 30 AD97 Security The b i s, v i s chosen from D u (something) By hardness assumption, cant distinguish from G u (something) Claim: if they were from G u (something), c would have no information on the bit Proven by leftover hash lemma + smoothing Proven by leftover hash lemma + smoothing Note: v i s has variance n 2 larger than b i s In the G u case v i mod P(B) is nearly uniform 31 AD97 Security (cont.) Partition P(B) to q n cells, q~n 7 For each point v i, consider the cell where it lies r i is the corner of that cell r i is the corner of that cell S v i mod P(B) = S r i mod P(B) + n -5 error S is our random subset S is our random subset S r i mod P(B) is a nearly-random cell Well show this using leftover hash Well show this using leftover hash The Gaussian(n -4 ) in c drowns the error term q q 32 Leftover Hashing Consider hash function H R :{0,1} m [q] n The key is R=[r 1,,r m ] [q] n m The key is R=[r 1,,r m ] [q] n m The input is a bit vector b=[ 1,, m ] T {0,1} m The input is a bit vector b=[ 1,, m ] T {0,1} m H R (b) = Rb mod q H is pairwise independent (well, almost..) Yay, lets use the leftover hash lemma Yay, lets use the leftover hash lemma , statistically close For random R [q] n m, b {0,1} m, U [q] n For random R [q] n m, b {0,1} m, U [q] n Assuming m n log q Assuming m n log q 33 AD97 Security (cont.) We proved S r i mod P(B) is nearly-random Recall: c 0 = S r i + error(n -5 ) + Gaussian(n -4 ) mod P(B) c 0 = S r i + error(n -5 ) + Gaussian(n -4 ) mod P(B) For any x and error e, |e|~n -5, the distr. x+e+Gaussian(n -5 ), x+Gaussian(n -4 ) are statistically close So c 0 ~ S r i + Gaussian(n -3 ) mod P(B) Which is close to uniform in P(B) Which is close to uniform in P(B) Also c 1 = c 0 + v 0 /2 mod P(B) close to uniform Also c 1 = c 0 + v 0 /2 mod P(B) close to uniform 34 Average-case Decision Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition AD97 PKE bit-by-bit n-dimensional Leftover hash lemma Worst-case Search u-SVP Regev03: Hensel lifting AD97: Geometric Ajtai-Dwork & Regev03 PKEs AD07 PKE O(n)-bits n-dimensional Regev03 PKE bit-by-bit 1-dimensional Projecting to a line Amortizing by adding dimensions Not today (slide 60) 35 Lyubashevsky-Micciancio, CRYPTO 2009 Good old-fashion worst-case reductions Mostly Cook reductions (one Karp reduction) Mostly Cook reductions (one Karp reduction) u-SVP vs. BDD vs. GAP-SVP Worst-case Search u-SVP Worst-case Search BDD Worst-case Decision GAP-SVP BDD 1/ GapSVP n log n GapSVP uSVP BDD 1/ uSVP uSVP BDD 1/ 36 Reminder: uSVP and BDD uSVP : uSVP : -unique shortest vector problem Input: a basis B = (b 1,,b n ) Promise: 1 (L(B)) < 2 (L(B)) Task: find shortest nonzero vector in L(B) BDD 1/ : 1/-bounded distance decoding BDD 1/ : 1/ -bounded distance decoding Input: a basis B = (b 1,,b n ), a point t Promise: dist(t, L(B)) < 1 (L(B)) / Task: find closest vector to t in L(B) 37 BDD uSVP /2 BDD 1/ uSVP /2 Input: a basis B = (b 1,,b n ), a point t Assume that we know = dist(t, L(B)) Assume that we know = dist(t, L(B)) Let B = b 1 b n t 0 0 Let v L(B) be the closest to t, |t-v|= Let v L(B) be the closest to t, |t-v|= Will show that the vector [(t-v) ] T is the /2-unique shortest vector in L(B ) Will show that the vector [(t-v) ] T is the /2-unique shortest vector in L(B ) So uSVP /2 (B ) will return it So uSVP /2 (B ) will return it The size of v =[(t-v) ] T is ( 2 + 2 ) 1/2 = 2 Can get by with a good approximation for 38 BDD uSVP /2 (cont.) BDD 1/ uSVP /2 (cont.) Every w L(B) looks like w =[ t-w ] T For some integer and some w L(B) For some integer and some w L(B) Write t-w = ( v-w)- (v-t) Write t-w = ( v-w)- (v-t) v-w L(B), nonzero if w isnt a multiple of v v-w L(B), nonzero if w isnt a multiple of v So | v-w| 1, also recall |v-t|= So | v-w| 1, also recall |v-t|= | t-w| | v-w| - |v-t| 1 - |w | 2 ( 1 - ) 2 + ( ) 2 inf R [( 1 - ) 2 +( ) 2 ] = ( 1 ) 2 /2 ( ) 2 /2 So for any w L(B ), not a multiple of v, we have |w | / 2 = |v | /2 39 uSVP BDD uSVP BDD 1/ Input: a basis B = (b 1,b 2,,b n ) Let be a prime, Let be a prime, For i=1,2,,n, j=1,2,,p-1 B i = (b 1,b 2,, b i,,b n ), t ij = j b i B i = (b 1,b 2,, b i,,b n ), t ij = j b i Let v ij = BDD(B i,T ij ), w ij = v ij t ij Let v ij = BDD 1/ (B i,T ij ), w ij = v ij t ij Output the smallest nonzero w ij in L(B) 40 uSVP BDD(cont.) uSVP BDD 1/ (cont.) Let u be shortest nonzero vector in L(B) u = i b i, at least one i isnt divisible by (otherwise u/ would also be in L(B)) u = i b i, at least one i isnt divisible by (otherwise u/ would also be in L(B)) Let j = - i mod , j {1,2,, -1} Let j = - i mod , j {1,2,, -1} We will prove that for these i,j 1 (L(B i )) > 1 (L(B)) 1 (L(B i )) > 1 (L(B)) dist(t ij, L(B i )) 1 (L(B)) dist(t ij, L(B i )) 1 (L(B)) 41 The smallest multiple of u in L(B i ) is u | u| = (L(B)) (L(B)) | u| = (L(B)) (L(B)) Any other vector in L(B i ) L(B) is longer than (L(B)) (since L(B) is -unique) Any other vector in L(B i ) L(B) is longer than (L(B)) (since L(B) is -unique) (L(B i )) (L(B)) t ij +u = jb i + m b m = (j+ i )b i + m i m b m L(B i ) dist(t ij,L(Bi)) (L(B i )) (B i,t ij ) satisfies the promise of BDD (B i,t ij ) satisfies the promise of BDD 1/ v ij =BDD 1/ (B i,t ij ) is closest to t ij in L(B i ) w ij = v ij t ij L(B), since t ij L(B) and v ij L(B i ) L(B) w ij = v ij t ij L(B), since t ij L(B) and v ij L(B i ) L(B) |w ij |= 1 (L(B)) |w ij |= 1 (L(B)) divisible by p 42 Reminder: GapSVP GapSVP : decision version of approx -SVP Input: Basis B, number Input: Basis B, number Promise: either 1 (L(B)) or 1 (L(B))> Promise: either 1 (L(B)) or 1 (L(B))> Task: decide which is the case Task: decide which is the case The reduction uSVP GapSVP is the same as Regevs Decision-to-Search uSVP reduction (slide 47) 43 GapSVP n log n BDD 1/ Inputs: Basis B=(b 1,,b n ), number Repeat poly(n) times Choose a random s i of length n log n Choose a random s i of length n log n Set t i = s i mod B, run v i =BDD(B,t i ) Set t i = s i mod B, run v i =BDD 1/ (B,t i ) Answer YES if i s.t. v t i -s i, else NO Need will show: 1 (L(B))> n log n v=t i -s i always 1 (L(B)) v t i -s i with probability ~1/2 44 Case 1: 1 (L(B))> n log n Recall: |s i | n log n, t i =s i mod B t i is n log n away from v i = t i -s i L(B) t i is n log n away from v i = t i -s i L(B) (B,t i ) satisfies the promise of BDD (B,t i ) satisfies the promise of BDD 1/ BDD(B,t i ) will return some vector in L(B) BDD 1/ (B,t i ) will return some vector in L(B) Any other L(B) point has distance from t i at least 1 (L(B))- n log n > ( -1) n log n v i is only answer that BDD(B,t i ) can return v i is only answer that BDD 1/ (B,t i ) can return 45 Case 2: 1 (L(B)) Let u be shortest nonzero in L(B), |u|= 1 s i is random in Ball( n log n) With high probability s i u also in ball t i =s i mod B could just as well be chosen as t i =(s i +u) mod B t i =s i mod B could just as well be chosen as t i =(s i +u) mod B Whatever BDD 1/ (B,t) returns it differs from t i -s i w.p. 1/2 Whatever BDD 1/ (B,t) returns it differs from t i -s i w.p. 1/2 radius n log n s u 46 Backup Slides 1. Regevs Decision-to-Search uSVP 2. Regevs dimension reduction 3. Diophantine Approximation 47 uSVP Decision Search Search-uSVP Decision mod-p problem Decision-uSVP 48 Reduction from: Decision mod-p Given a basis (v 1 v n ) for n 1.5 -unique lattice, and a prime p>n 1.5 Assume the shortest vector is: u = a 1 v 1 +a 2 v 2 ++a n v n Decide whether a 1 is divisible by p 49 Reduction to: Decision uSVP Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n 50 The reduction Input: a basis (v 1,,v n ) of a n 1.5 unique lattice Scale the lattice so that the shortest vector is of length 1/n Replace v 1 by pv 1. Let M be the resulting lattice If p | a 1 then M has shortest vector 1/n and all non-parallel vectors more than n If p a 1 then M has shortest vector more than n | 51 The input lattice L The input lattice L 0 nn 1/n L u 2u -u 52 The lattice M 0 nn 1/n The lattice M is spanned by pv 1,v 2,,v n : If p|a 1, then u = (a 1 /p)pv 1 + a 2 v 2 ++ a n v n M : M u 53 The lattice M 0 nn The lattice M is spanned by pv 1,v 2,,v n : If p a 1, then uM: If p a 1, then u M: M | pu -pu 54 Search-uSVP Decision mod-p problem Decision-uSVP uSVP Decision Search 55 Reduction from: Decision mod-p Given a basis (v 1 v n ) for n 1.5 -unique lattice, and a prime p>n 1.5 Assume the shortest vector is: u = a 1 v 1 +a 2 v 2 ++a n v n Decide whether a 1 is divisible by p 56 The Reduction Idea: decrease the coefficients of the shortest vector If we find out that p|a 1 then we can replace the basis with pv 1,v 2,,v n. u is still in the new lattice: u = (a 1 /p)pv 1 + a 2 v 2 + + a n v n The same can be done whenever p|a i for some i 57 The Reduction But what if p a i for all i ? Consider the basis v 1,v 2 -v 1,v 3,,v n The shortest vector is u = (a 1 +a 2 )v 1 + a 2 (v 2 -v 1 ) + a 3 v 3 + + a n v n The first coefficient is a 1 +a 2 Similarly, we can set it to a 1 - b p/2 c a 2,, a 1 -a 2, a 1, a 1 +a 2, , a 1 + b p/2 c a 2 a 1 - b p/2 c a 2,, a 1 -a 2, a 1, a 1 +a 2, , a 1 + b p/2 c a 2 One of them is divisible by p, so we choose it and continue | 58 The Reduction Repeating this process decreases the coefficients of u are by a factor of p at a time The basis that we started from had coefficients 2 2n The basis that we started from had coefficients 2 2n The coefficients are integers The coefficients are integers After 2n 2 steps, all the coefficient but one must be zero The last vector standing must be u 59 Regevs dimension reduction 60 Distinguish between the 1-dimensional distributions: 0 0R-1 Uniform: Wavy: Reducing from n to 1-dimension 61 Reducing from n to 1-dimension First attempt: sample and project to a line 62 Reducing from n to 1-dimension But then we lose the wavy structure! We should project only from points very close to the line 63 The solution Use the periodicity of the distribution Project on a dense line : 64 The solution 65 The solution We choose the line that connects the origin to e 1 +Ke 2 +K 2 e 3 +K n-1 e n where K is large enough The distance between hyperplanes is n The sides are of length 2 n Therefore, we choose K=2 O(n) Hence, d


Compactly Encoding Unstructured Inputs with Differential ... · Compactly Encoding Unstructured Inputs with Differential Compression Miklos Ajtai Randal Burns y Ronald Fagin Darrell

Worst-case to Average-case Reductions based on Gaussian …regev/papers/average.pdf · 2006-09-06 · Worst-case to Average-case Reductions based on Gaussian Measures∗ Daniele Micciancio

Daniele Micciancio UC San Diego LLL+25cseweb.ucsd.edu/~daniele/papers/LLL25-slides.pdf · Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline ... the smallest

Search to Decision Reductions for Knapsacks and LWE 1 October 3, 2011 Daniele Micciancio, Petros Mol UCSD Theory Seminar

Worst album covers_ever.pps

Robert Blecker - The Worst of the Worst

Worst casedisabilities03 2011

Miklós Ajtai, Vitaly Feldman, Avinatan Hassidim, Jelani Nelson Presented by Dan Garber

Shaytan / Satan (iblees / Jinn) Worst of the worst

We4IT lcty 2013 - keynote - worst practices - the best of the worst

Bryn D’Andrea’s Best and Worst of 2008. Movies TransformersHancock Best Worst

CSE208: Advanced Cryptographycseweb.ucsd.edu/classes/fa20/cse208-a/slides.pdf · 2020. 12. 10. · CSE208: Advanced Cryptography Daniele Micciancio Introduction DefiningFHE Bootstrapping

Worst 20 meals

FHEW: Homomorphic Encryption Bootstrappingasilverb/CryptoDayFiles/uci15b.pdfFHEW: Homomorphic Encryption Bootstrapping in less than a Second1 L eo Ducas2 Daniele Micciancio UC San

UNIVERSITY OF CALIFORNIA, SAN DIEGOcseweb.ucsd.edu/~vlyubash/papers/dissertation_single...University of California, San Diego, 2008 Professor Daniele Micciancio, Chair Lattice-based

Worst presentationeverstandalone

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Worst Case Noise

Blacksmith Institute’s World Worst Polluted World´s Worst

Worst Witch, The - The Worst Witch

Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss

Worst Forex Trades

Lattice-based Cryptographycseweb.ucsd.edu/~daniele/papers/PostQuantum.pdf · Lattice-based Cryptography∗ Daniele Micciancio† Oded Regev‡ November 7, 2008 1 Introduction In this

Grails Worst Practices

worst nightmare boss

Best&Worst Returns

Worst Poster Ever

Worst Thing

NTRU and Lattice-Based Crypto: Past, Present, and Futurearchive.dimacs.rutgers.edu/Workshops/Post-Quantum/... · Lattice-Based Crypto | Early History 4 Lattice-Based Crypto Ajtai

The Worst of the Worst - Foreign Policy Jun 2010

Provable Security of Merkle-Micciancio-Lyubashevsky’s ......Diploma Thesis October 2007 - March 2008 Provable Security of Merkle-Micciancio-Lyubashevsky’s Signature Scheme Aleksandar

The Worst Code

Python Worst Practices

Avoiding the worst-case scenarioS avoiding the worst-case ... · Avoiding the worst-case scenarioSavoiding the worst-case scenarioS. Founded in 1982, ... runbook grows increasingly

BEST & WORST EXPERIENCES.pptx