 Good, right Welcome to the lattice Session of the third day of your correct 2016. So the only thing that's keeping you between you and lunch are two talks the first of which is is this one skew as paper by Nicola gamma Malika is a machine for knowing and changie and Nicola is gonna give the talk Thank you for the introduction Do you hear me? Yes, okay? So indeed, it's a very long title Structural lattice reduction, etc So in this paper we cover a lot of topics ranging from lattice reduction worst case to average case with connection some abstraction tools to connect more general crypto building blocks to lattice-based systems and also some generic tools of compilation theory like automata or Binary decision diagram to the world of homomorphic encryption. So here in this talk, I will just pick three subtopics at random and with gosheneristic and starting with the generalization of CIS and LWE to arbitrary groups so In general when we talk about lattice-based crypto we rely on the two problems CIS and LWE There are in general defined using huge matrices and presented with linear algebra and They use in general a lot of parameters. Some of them are Meaningless like for example the parameter queue for so for that reason it has been banned from my talk and instead I will adopt a group theoretical point of view and Which will emphasize the duality between the two problems. So let's start with short Introduction of what are lattice problems So lattice is a discrete subgroup of RN It's usually described by a basis. There are infinitely many bases that are already related by unimodular transformation But at least they have the same determinant up to the sign which is the volume of the lattice So there are a lot of lattice problems in the literature. So here I will just keep it Simple and stupid. So let's say there is only one lattice problem in the in this world. It's Given a lattice and the ball find lattice points within the ball So the lattice is described by a basis and the ball is described by its center and radius So there are three flavors of this problem. There are the approximation problems Well, the ball is much larger than the lattice volume. So in this case, there are exponentially many solutions Even if you translate the ball or if you take another norm like square balls There are the exact problems where you take the ball approximately equal to the Lattice volume. So if you translate it, there will always be Approximately a single solution and There are the unique problems where the volume of the ball is much smaller than the lattice So if you pick a ball at random, it will contain no solution at all and only specially crafted solution contains a very unique point So what about the hardness of these problems? Well, it's all a matter of density You compare the rest the volume of the ball with the volume of the lattice if the density is W exponential You get polynomial time algorithms like LLL or BKZ If the volume of the ball is W exponentially smaller than the volume the same algorithms will also solve your your instance So that's the kind of duality between the two and in the center for the exact problem You get NP-hard problems. So where is the crypto in this picture? Well, it's here when the crypto is based on the CIS problem in the approximate side or Here on the unit side with LWE That's all you need to know about lattices now, let's define the CIS function so I will present it with groups So let's start with a random with an abelian group G and let's pick M elements at random in this group What is the CIS function? Well, it's simply you take M integers and Output the linear combinations of the GI with these coefficients. So this function is totally linear but if you restrict the inputs domain to only short elements look for for example in the ball of radius beta Then Magically your function becomes one way It means that although for each image there are an exponential number of free image You cannot find any of them in any reasonable time So inverting the CIS function is the jc's problem, which is sometimes called subsetsome problem depending on the shape of the group So how is it connected to lattices? well, if you solve the jc's problem, it Is almost equivalent to finding short vector in a uniformly random lattice of this Particular class L of G which are all the integer lattice whose quotient is isomorphic to G So of course since in this talk, we are free to choose the structure as we want And even mimicking the standard class group distribution then we can get very nice self-random reducibility for general lattices, but I will not talk about that here Most importantly What we should remember is that 20 years ago it I proved that if we can efficiently solve the CIS problem for For this particular group on the average then we can solve any lattice problem in dimension n and In our paper, we generalize the results to every group provided that they have a large enough cyclic components So yeah, I really said every group not many groups So basically if you want to base a problem on CIS on on what that the the hardness depends it depends only on two factors The first one is the order of G the hardness increase it with it and the second one is the radius of the expected answers and Basically, the hardness does not depend on anything else not M not the structure of the not the choice of the family So that's for CIS now. Let's go to LWE So in order to introduce LWE we need to recall some basic properties of Duality so The definition if we start with the definition of a character So a character is simply a morphism an additive morphism from a group G to the tourists the tourists are just the real numbers Modulo one so it's a group. It's not a ring. There is no multiplication and Every group is isomorphic isomorphic to its dual group, which is the set of all the characters now that we know that the LWE problem is Well, you pick M elements in a group You choose a random secret character in the dual group and the goal is if I give you M Evaluations of this character with some noise some Gaussian noise. Can you recover this character? so in 2005 regaff defined it using the special groups as the over queue to the end like I tied it for CIS, but it can be generalized for every abelian group So let me give a small example for a cyclic group I take the group C over 25 C and this secret character Which just takes a and outputs to a over 25 modulo one So If I take GLW we samples I will have to be to remain close to this value. So Here all the samples are taken near the black zone And Instead if I choose random sample in the rectangle, it would look like the green one with no particular structure And of course the LWE problem is if I don't give you a secret can you distinguish the two distributions? So that's the heart problem if you solve it even with a quantum computer you destroy all lattice base cryptography So from that what is the LWE function so As before you take M elements uniformly at random in a group G and the function is simply the following It goes from the dual group to the tourists And it associates to a character the set of its evaluations So this function again is one way and if you invert it you break the GLW we problem So worst case to average case reduction in 2005 regaff proved that if we solve LWE for the group zero recuse it to the end then you there is a quantum adversary against every n-dimensional lattice and In this paper, we generalize that to any group which are sufficiently large Okay, so now how do we use that for lattice cryptography? Well, there are two techniques in lattice cryptography. The first one is using trapdoors So and the second one is without trapdoors So the first one will have many similarities RSA the second one many similarities with Diffie-Hellman So if you remember in RSA, well this function M gives M to the E modulo N Is the main one-way function and it has a trapdoor so for example this integer D Which is the inverse of E modulo phi of N It takes maybe a lot of time to compute from N and E But once you have it you can invert the function for any input in polynomial time So for lattice-based schemes you have two one-way functions. You have the GCs function and the LWE function and Again, there is a notion of trapdoors if you get a short basis of this orthogonal lattice Then you can invert both functions in polynomial time for every input So there are already a lot of contraction based on this trapdoor. So I won't give any more details here What is more interesting is the Diffie-Hellman-based cryptography So let's recall what is Diffie-Hellman. So we all know It's between Alice a key exchange between Alice and Bob Alice picks a random integer modulo q and sends G to the A Bob speaks random integer and sends G to the B and both will compute the same key G to the A B out of that So in this setting You combine a one-way function Which is the discrete log one-way function the exponentiation f of A equals G to the A With a pairing E of A B equals G to the A B and this pairing has the property that it can be computed Even if either A or B is hidden by f not both So Here in lattice and yeah, the security is the D-D-H assumption that you cannot distinguish L-Gamal Diffie-Hellman triples from random If we want to extend that to lattices What would be the pairing that we would use and what would be the one-way functions? Well the one-way function we already described them. It's the CIS function and the LWE function All we need is a pairing that combines the two So basically given a character and a combination it will just Apply the character to the linear combination of the group elements So once we have it well, we immediately get the lattice-based key exchange So Alice picks small integers and returns the CIS evaluations The CIS linear combination Bob choose a random character and returns the LWE evaluation and from that both can compute the pairing So in the case of Alice there will be some noise But of course every noise can be Removed by rounding the results on the tourists So like that You get an analog of Diffie-Hellman of course since Diffie-Hellman is the core of L-Gamal encryption You get two L-Gamal schemes which are Well, there are Regev encryption and the Dval Regev encryption. So why are there two schemes? It's because the pairing we use is not symmetric So there were two one-way functions instead of one But for the security you immediately get the in-CPA secure and maybe other post-quantum Properties since we are rely on LWE assumption for example and Similarly, many of Lattice scheme can be viewed as analogs of the RSA or discrete log Instantiation for lattices So now In the two minutes I have I will just Give the outline of what happened for a fully homomorphic encryption. So we chose one particular line bloodline of homomorphic scheme, which is the one from Gentry, Science and Waters and the optimizations of AP-14 and Leo Ducca and Missiancio last year So basically what this scheme can do So like other of course addition and linear combinations, but the most unique thing for These schemes is that these are the the only scheme that are able to evaluate Long conjunctions with a noise propagation, which is only sublinear in the length So which almost does not depend on the depth multiplicative depth of the circuit And There is also this Very nice bootstrapping in less than one second So in this paper what we had what is the ability to evaluate Any binary decision diagrams or deterministic automata With only sublinear noise overhead in either the number of variables or the length of the world which is tested We also had universal composition of Boolean function and also a slower internal bootstrapping So it really matters a lot because when we think of everyday life problem We usually think it of as a finite state machine algorithm Not really as a polynomial arithmetic where the result is some kind of combination between the Lagrange interpolation of the input, etc etc So having the automata logic or the binary decision diagram logic Looks way more general than What we can do with polynomial expressions So the only drawback Is really practice. I mean the gate complexity of this circuit lags Light years behind what we can do usually with BGV or Yash So maybe one of the big open problem is performance But for these schemes, I mean we are all optimizing polynomial things. So between the turtle and the rabbits We never know who will win in the end So basically that concludes my talk And if you have any questions, feel free to ask. Thank you Just I'm just curious. So this is more general way of describing LWE with character values. I mean, it's clear that syntactically one could do the same with non-abelian groups At least if you go to complex value characters, I mean, is this a value at all that anybody think about this? Or is this just you know Formalized abstract nonsense with non-abelian group. Yeah, that's an interesting question. Yeah Yeah, it's possible that some of the results translate also to the non-committative case Any other questions? So I'm gonna move over to the other side of the room in case No, no one wants to wave their hand Okay, well, thanks speaker again. Thank you