54 research outputs found
Revisiting the Sanders-Freiman-Ruzsa Theorem in and its Application to Non-malleable Codes
Non-malleable codes (NMCs) protect sensitive data against degrees of
corruption that prohibit error detection, ensuring instead that a corrupted
codeword decodes correctly or to something that bears little relation to the
original message. The split-state model, in which codewords consist of two
blocks, considers adversaries who tamper with either block arbitrarily but
independently of the other. The simplest construction in this model, due to
Aggarwal, Dodis, and Lovett (STOC'14), was shown to give NMCs sending k-bit
messages to -bit codewords. It is conjectured, however, that the
construction allows linear-length codewords. Towards resolving this conjecture,
we show that the construction allows for code-length . This is achieved
by analysing a special case of Sanders's Bogolyubov-Ruzsa theorem for general
Abelian groups. Closely following the excellent exposition of this result for
the group by Lovett, we expose its dependence on for the
group , where is a prime
Solving the Closest Vector Problem in Time--- The Discrete Gaussian Strikes Again!
We give a -time and space randomized algorithm for solving the
exact Closest Vector Problem (CVP) on -dimensional Euclidean lattices. This
improves on the previous fastest algorithm, the deterministic
-time and -space algorithm of
Micciancio and Voulgaris.
We achieve our main result in three steps. First, we show how to modify the
sampling algorithm from [ADRS15] to solve the problem of discrete Gaussian
sampling over lattice shifts, , with very low parameters. While the
actual algorithm is a natural generalization of [ADRS15], the analysis uses
substantial new ideas. This yields a -time algorithm for
approximate CVP for any approximation factor .
Second, we show that the approximate closest vectors to a target vector can
be grouped into "lower-dimensional clusters," and we use this to obtain a
recursive reduction from exact CVP to a variant of approximate CVP that
"behaves well with these clusters." Third, we show that our discrete Gaussian
sampling algorithm can be used to solve this variant of approximate CVP.
The analysis depends crucially on some new properties of the discrete
Gaussian distribution and approximate closest vectors, which might be of
independent interest
Why we couldn't prove SETH hardness of the Closest Vector Problem for even norms, and of the Subset Sum Problem!
Recent work [BGS17,ABGS19] has shown SETH hardness of some constant factor
approximate CVP in the norm for any that is not an even integer.
This result was shown by giving a Karp reduction from -SAT on variables
to approximate CVP on a lattice of rank . In this work, we show a barrier
towards proving a similar result for CVP in the norm where is an
even integer. We show that for any , if for every , there
exists an efficient reduction that maps a -SAT instance on variables to
a -CVP instance for a lattice of rank at most in the
Euclidean norm, then . We prove a
similar result for -CVP for all even norms under a mild
additional promise that the ratio of the distance of the target from the
lattice and the shortest non-zero vector in the lattice is bounded by
.
Furthermore, we show that for any , and any even integer , if
for every , there exists an efficient reduction that maps a -SAT
instance on variables to a - instance for a lattice
of rank at most , then . The
result for SVP does not require any additional promise.
While prior results have indicated that lattice problems in the norm
(Euclidean norm) are easier than lattice problems in other norms, this is the
first result that shows a separation between these problems.
We achieve this by using a result by Dell and van Melkebeek [JACM, 2014] on
the impossibility of the existence of a reduction that compresses an arbitrary
-SAT instance into a string of length for any
. In addition to CVP, we also show that the same result holds for
the Subset-Sum problem using similar techniques.Comment: 32 pages, 3 figure
Improved Algorithms for the Shortest Vector Problem and the Closest Vector Problem in the Infinity Norm
Blomer and Naewe[BN09] modified the randomized sieving algorithm of Ajtai,
Kumar and Sivakumar[AKS01] to solve the shortest vector problem (SVP). The
algorithm starts with randomly chosen vectors in the lattice and
employs a sieving procedure to iteratively obtain shorter vectors in the
lattice. The running time of the sieving procedure is quadratic in .
We study this problem for the special but important case of the
norm. We give a new sieving procedure that runs in time linear in , thereby
significantly improving the running time of the algorithm for SVP in the
norm. As in [AKS02,BN09], we also extend this algorithm to obtain
significantly faster algorithms for approximate versions of the shortest vector
problem and the closest vector problem (CVP) in the norm.
We also show that the heuristic sieving algorithms of Nguyen and Vidick[NV08]
and Wang et al.[WLTB11] can also be analyzed in the norm. The
main technical contribution in this part is to calculate the expected volume of
intersection of a unit ball centred at origin and another ball of a different
radius centred at a uniformly random point on the boundary of the unit ball.
This might be of independent interest.Comment: Changed the titl
Just Take the Average! An Embarrassingly Simple 2^n-Time Algorithm for SVP (and CVP)
We show a 2^{n+o(n)}-time (and space) algorithm for the Shortest Vector Problem on lattices (SVP) that works by repeatedly running an embarrassingly simple "pair and average" sieving-like procedure on a list of lattice vectors. This matches the running time (and space) of the current fastest known algorithm, due to Aggarwal, Dadush, Regev, and Stephens-Davidowitz (ADRS, in STOC, 2015), with a far simpler algorithm. Our algorithm is in fact a modification of the ADRS algorithm, with a certain careful rejection sampling step removed.
The correctness of our algorithm follows from a more general "meta-theorem," showing that such rejection sampling steps are unnecessary for a certain class of algorithms and use cases. In particular, this also applies to the related 2^{n + o(n)}-time algorithm for the Closest Vector Problem (CVP), due to Aggarwal, Dadush, and Stephens-Davidowitz (ADS, in FOCS, 2015), yielding a similar embarrassingly simple algorithm for gamma-approximate CVP for any gamma = 1+2^{-o(n/log n)}. (We can also remove the rejection sampling procedure from the 2^{n+o(n)}-time ADS algorithm for exact CVP, but the resulting algorithm is still quite complicated.
Quantum attacks on Bitcoin, and how to protect against them
The key cryptographic protocols used to secure the internet and financial
transactions of today are all susceptible to attack by the development of a
sufficiently large quantum computer. One particular area at risk are
cryptocurrencies, a market currently worth over 150 billion USD. We investigate
the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum
computers. We find that the proof-of-work used by Bitcoin is relatively
resistant to substantial speedup by quantum computers in the next 10 years,
mainly because specialized ASIC miners are extremely fast compared to the
estimated clock speed of near-term quantum computers. On the other hand, the
elliptic curve signature scheme used by Bitcoin is much more at risk, and could
be completely broken by a quantum computer as early as 2027, by the most
optimistic estimates. We analyze an alternative proof-of-work called Momentum,
based on finding collisions in a hash function, that is even more resistant to
speedup by a quantum computer. We also review the available post-quantum
signature schemes to see which one would best meet the security and efficiency
requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum
devices and prognostications on time from now to break Digital signatures,
see https://www.quantumcryptopocalypse.com/quantum-moores-law
Extractors: Low Entropy Requirements Colliding With Non-Malleability
The known constructions of negligible error (non-malleable) two-source
extractors can be broadly classified in three categories:
(1) Constructions where one source has min-entropy rate about , the
other source can have small min-entropy rate, but the extractor doesn't
guarantee non-malleability.
(2) Constructions where one source is uniform, and the other can have small
min-entropy rate, and the extractor guarantees non-malleability when the
uniform source is tampered.
(3) Constructions where both sources have entropy rate very close to and
the extractor guarantees non-malleability against the tampering of both
sources.
We introduce a new notion of collision resistant extractors and in using it
we obtain a strong two source non-malleable extractor where we require the
first source to have entropy rate and the other source can have
min-entropy polylogarithmic in the length of the source.
We show how the above extractor can be applied to obtain a non-malleable
extractor with output rate , which is optimal. We also show how, by
using our extractor and extending the known protocol, one can obtain a privacy
amplification secure against memory tampering where the size of the secret
output is almost optimal
- …