Limits on the Efficiency of Ring LWE-based Key Exchange

Slide Note
Embed
Share

This study explores the limitations of Ring LWE-based key exchange protocols and their impact on non-interactive key exchange mechanisms. It discusses the LWE assumption, noise distribution, and the practical implications of small moduli q and noise-to-modulus ratio r. Additionally, it delves into Post-Quantum Cryptography standardization efforts, including quantum-resistant cryptosystems like lattice-based, code-based, multivariate, and hash-based signatures.

kaer460
kaer460 Follow

Uploaded on Sep 18, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Limits on the Efficiency of (Ring) LWE based Non-Interactive Key Exchange Siyao Guo NUY Shanghai Pritish Kamath TTIC Alon Rosen IDC Herzliya Katerina Sotiraki MIT

  2. KEY-EXCHANGE [Diffie-Hellman 76]

  3. KEY-EXCHANGE [Diffie-Hellman 76]

  4. KEY-EXCHANGE [Diffie-Hellman 76]

  5. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism.

  6. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism. Many quantum-resistant cryptosystems: lattice-based, code-based, multivariate, hash-based signatures, etc.

  7. POST-QUANTUM KEY EXCHANGE NIST Post-Quantum Cryptography standardization includes proposals for key-encapsulation mechanism. Many quantum-resistant cryptosystems: lattice-based, code-based, multivariate, hash-based signatures, etc.

  8. LWE ASSUMPTION [Regev 05]

  9. LWE ASSUMPTION noise distribution e.g. discrete Gaussian or bounded uniform

  10. LWE ASSUMPTION

  11. LWE ASSUMPTION LWE assumption:

  12. LWE ASSUMPTION LWE assumption: Modulus q: Small q improves practical performance. Fewer constructions known from small q.

  13. LWE ASSUMPTION LWE assumption: Noise-to-modulus ratio r: Intuitively, how large the noise is compared to the modulus q. Large r gives better theoretical guarantees. Fewer constructions known from large r.

  14. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation

  15. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation

  16. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation Introduced by Ding, Xie and Lin [DXL 12], and Peikert [P 14]

  17. LWE-BASED KEY EXCHANGE Key-exchange through public-key encryption Inherently interactive One party completely controls the common secret key Key-exchange through reconciliation Introduced by Ding, Xie and Lin [DXL 12], and Peikert [P 14] Our main focus

  18. LWE-BASED KEY EXCHANGE

  19. LWE-BASED KEY EXCHANGE

  20. LWE-BASED KEY EXCHANGE

  21. LWE-BASED KEY EXCHANGE

  22. LWE-BASED KEY EXCHANGE

  23. LWE-BASED KEY EXCHANGE Approximate Common Key: x1TAx2

  24. EXISTING PROPOSALS extra information Existing proposals [DingXieLui 12], [Peikert 14] add extra communication.

  25. EXISTING PROPOSALS extra information Is this interaction inherent?

  26. LWE-BASED KEY EXCHANGE

  27. LWE-BASED KEY EXCHANGE If noise1 and noise2 are very small compared to q, interaction is not necessary.

  28. LWE-BASED KEY EXCHANGE If noise1 and noise2 are very small compared to q, interaction is not necessary.

  29. LWE-BASED KEY EXCHANGE If we have small noise-to-modulus ratio, interaction is not necessary.

  30. LWE-BASED KEY EXCHANGE In practice, q needs to be small. The typical size of q is 213 and there are proposals that even use q = 257 [LLJ + 17]. Small noise-to-modulus ratio results in worse theoretical security guarantees.

  31. LWE-BASED KEY EXCHANGE In practice, q needs to be small. The typical size of q is 213 and there are proposals that even use q = 257 [LLJ + 17]. Small noise-to-modulus ratio results in worse theoretical security guarantees. Is it possible to have non-interactive LWE-based key exchange when q is small?

  32. OUR RESULTS Natural ideas for achieving non-interactive key agreement do not work.

  33. OUR RESULTS

  34. OUR RESULTS

  35. OUR RESULTS

  36. OUR RESULTS

  37. OUR RESULTS Parties exchange LWE-samples and then run locally a reconciliation function.

  38. OUR RESULTS Natural choices of reconciliation functions cannot achieve agreement.

  39. IMPOSSIBILITY 1 Approximate Common Key: x1TAx2 If noise-to-modulus ratio r is large, then rounding gives agreement with probability < 1 1/q.

  40. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  41. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  42. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  43. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  44. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  45. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition?

  46. IMPOSSIBILITY 1 Can we amplify the agreement probability by repetition? Impossible to amplify the agreement probability by repetition

  47. IMPOSSIBILITY 1 Impossible to amplify the agreement probability by repetition Captured by the problem of Non-interactive Agreement Distillation in Information Theory.

  48. MAXIMAL CORRELATION Maximal correlation almostcaptures the best agreement probability that the players can get even with an infinite number of samples!

  49. MAXIMAL CORRELATION Maximal correlation almostcaptures the best agreement probability that the players can get even with an infinite number of samples! If maximal correlation is bounded away from 1, then repetition does not help!

  50. IMPOSSIBILITY 1 Has very special form: Cayley distribution Known how to compute maximal correlation for Cayley distribution [Lov sz 75]

Related


Compact Ring Signatures from LWE - CRYPTO 2021 Research

Compact Ring Signatures from LWE - CRYPTO 2021 Research

rubymae
Understanding Token Ring Technology in Computer Networks

Understanding Token Ring Technology in Computer Networks

jeanca
Overview of BIKE Key Exchange Protocol by Ray Perlner

Overview of BIKE Key Exchange Protocol by Ray Perlner

kato_mia
Empirical Analysis of Kuwaiti Dinar Exchange Rate Behavior and Misalignment

Empirical Analysis of Kuwaiti Dinar Exchange Rate Behavior and Misalignment

kalina
Foreign Exchange Regulations in India: FERA and FEMA Overview

Foreign Exchange Regulations in India: FERA and FEMA Overview

jang572
Cutting-edge Proton EDM Storage Ring Experiment Insights

Cutting-edge Proton EDM Storage Ring Experiment Insights

eze_for
Understanding Confidence Limits in Statistical Analysis

Understanding Confidence Limits in Statistical Analysis

merideth_k
Overview of Damping Ring and Transfer Lines for FCC-ee Pre-Injector Complex

Overview of Damping Ring and Transfer Lines for FCC-ee Pre-Injector Complex

clane
CEPC Main Ring Double Ring Scheme Lattice Design

CEPC Main Ring Double Ring Scheme Lattice Design

nida_le
Understanding Precise Definitions of Limits in Analysis

Understanding Precise Definitions of Limits in Analysis

lyke_ari
Understanding Foreign Exchange Rate Systems and Their Impact on Economies

Understanding Foreign Exchange Rate Systems and Their Impact on Economies

solomon
Foreign Exchange Management Act, 1999: Overview and Structure

Foreign Exchange Management Act, 1999: Overview and Structure

azac495
Understanding Exchange Rates: An Asset Approach

Understanding Exchange Rates: An Asset Approach

susa_451
Analysis of Dapivirine Ring Introduction Framework and Key Insights in Sub-Saharan Africa

Analysis of Dapivirine Ring Introduction Framework and Key Insights in Sub-Saharan Africa

izariah
Enhancing Particle Acceleration in Booster with Permanent Magnet Accumulator Ring

Enhancing Particle Acceleration in Booster with Permanent Magnet Accumulator Ring

bra_sch
Analysis of Dapivirine Ring Introduction in South Africa

Analysis of Dapivirine Ring Introduction in South Africa

aiza
Understanding International Financial Environment and Foreign Exchange Markets

Understanding International Financial Environment and Foreign Exchange Markets

loki
Understanding Revenue Limits and Calculation Process in School Financial Management

Understanding Revenue Limits and Calculation Process in School Financial Management

saha_88
Understanding the Human Gas Exchange System

Understanding the Human Gas Exchange System

oakleigh
Understanding Particle-on-a-Ring Approximation in Chemistry

Understanding Particle-on-a-Ring Approximation in Chemistry

ryne
Comprehensive Analysis of Fructose Ring Structures in Chemistry Department at GC Paonta Sahib

Comprehensive Analysis of Fructose Ring Structures in Chemistry Department at GC Paonta Sahib

ripley
Long-term Variation of Magnet Alignment in SPring-8 Storage Ring

Long-term Variation of Magnet Alignment in SPring-8 Storage Ring

emanii
Cherenkov Ring Radius Determination from Modular Rich Detector Simulation

Cherenkov Ring Radius Determination from Modular Rich Detector Simulation

tar_pet
Dynamic Aperture Optimization for CEPC Main Ring

Dynamic Aperture Optimization for CEPC Main Ring

azai_338

More Related Content