Divesh Aggarwal

Solving the Shortest Vector Problem in 2 n Time Using Discrete Gaussian Sampling: Extended Abstract

We give a randomized 2n+o(n)-time and space algorithm for solving the Shortest Vector Problem (SVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algorithm: the deterministic ~O(4n)-time and ~O(2n)-space algorithm of Micciancio and Voulgaris (STOC 2010, SIAM J. Comp. 2013). In fact, we give a conceptually simple algorithm that solves the (in our opinion, even more interesting) problem of discrete Gaussian sampling (DGS). More specifically, we show how to sample 2n/2 vectors from the discrete Gaussian distribution at any parameter in 2n+o(n) time and space. (Prior work only solved DGS for very large parameters.) Our SVP result then follows from a natural reduction from SVP to DGS. In addition, we give a more refined algorithm for DGS above the so-called smoothing parameter of the lattice, which can generate 2n/2 discrete Gaussian samples in just 2n/2+o(n) time and space. Among other things, this implies a 2n/2+o(n)-time and space algorithm for 1.93-approximate decision SVP.

Leakage-Resilient Non-malleable Codes

A recent trend in cryptography is to construct cryptosystems that are secure against physical attacks. Such attacks are usually divided into two classes: the leakage attacks in which the adversary obtains some information about the internal state of the machine, and the tampering attacks where the adversary can modify this state. One of the popular tools used to provide tamper-resistance are the non-malleable codes introduced by Dziembowski, Pietrzak and Wichs (ICS 2010). These codes can be defined in several variants, but arguably the most natural of them are the information-theoretically secure codes in the k-split-state model (the most desired case being k = 2).

Optimal Computational Split-state Non-malleable Codes

Non-malleable codes are a generalization of classical error-correcting codes where the act of “corrupting” a codeword is replaced by a “tampering” adversary. Non-malleable codes guarantee that the message contained in the tampered codeword is either the original message m, or a completely unrelated one. In the common split-state model, the codeword consists of multiple blocks (or states) and each block is tampered with independently.

Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again!

We give a 2n+o(n)-time and space randomized algorithm for solving the exact Closest Vector Problem (CVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algorithm, the deterministic Õ(4n)-time and Õ(2n)-space algorithm of Micciancio and Voulgaris [1]. We achieve our main result in three steps. First, we show how to modify the sampling algorithm from [2] to solve the problem of discrete Gaussian sampling over lattice shifts, L - t, with very low parameters. While the actual algorithm is a natural generalization of [2], the analysis uses substantial new ideas. This yields a 2n+o(n)-time algorithm for approximate CVP with the very good approximation factor γ = 1 + 2-o(n/ log n). Second, we show that the approximate closest vectors to a target vector t can be grouped into “lower-dimensional clusters,” and we use this to obtain a recursive reduction from exact CVP to a variant of approximate CVP that “behaves well with these clusters.” Third, we show that our discrete Gaussian sampling algorithm can be used to solve this variant of approximate CVP. The analysis depends crucially on some new properties of the discrete Gaussian distribution and approximate closest vectors, which might be of independent interest.

Affine-evasive sets modulo a prime

Optimal affine-evasive set construction.Optimal non-malleable codes against affine-tampering.Improved non-malleable codes against split-state tampering. In this work, we describe a simple and efficient construction of a large subset S of F p , where p is a prime, such that the set A ( S ) for any non-identity affine map A over F p has small intersection with S.Such sets, called affine-evasive sets, were defined and constructed in 1 as the central step in the construction of non-malleable codes against affine tampering over F p , for a prime p. This was then used to obtain efficient non-malleable codes against split-state tampering.Our result resolves one of the two main open questions in 1. It improves the rate of non-malleable codes against affine tampering over F p from log ? log ? p to a constant, and consequently the rate for non-malleable codes against split-state tampering for n-bit messages is improved from n 6 log 7 ? n to n 6 .

The leakage-resilience limit of a computational problem is equal to its unpredictability entropy

A cryptographic assumption is the (unproven) mathematical statement that a certain computational problem (e.g. factoring integers) is computationally hard. The leakage-resilience limit of a cryptographic assumption, and hence of a computational search problem, is the maximal number of bits of information that can be leaked (adaptively) about an instance, without making the problem easy to solve. This implies security of the underlying scheme against arbitrary side channel attacks by a computationally unbounded adversary as long as the number of leaked bits of information is less than the leakage resilience limit. The hardness of a computational problem is typically characterized by the running time of the fastest (known) algorithm for solving it. We propose to consider, as another natural complexity-theoretic quantity, the success probability of the best polynomial-time algorithm (which can be exponentially small). We refer to its negative logarithm as the unpredictability entropy of the problem (which is defined up to an additive logarithmic term). A main result of the paper is that the leakage-resilience limit and the unpredictability entropy are equal. This demonstrates, for the first time, the practical relevance of studying polynomial-time algorithms even for problems believed to be hard, and even if the success probability is too small to be of practical interest. With this view, we look at the best probabilistic polynomial time algorithms for the learning with errors and lattice problems that have in recent years gained relevance in cryptography. We also introduce the concept of witness compression for computational problems, namely the reduction of a problem to another problem for which the witnesses are shorter. The length of the smallest achievable witness for a problem also corresponds to the non-adaptive leakage-resilience limit, and it is also shown to be equal to the unpredictability entropy of the problem. The witness compression concept is also of independent theoretical interest. An example of an implication of our result is that 3-SAT for n variables can be witness compressed from n bits (the variable assignments) to 0.41 n bits.

Inception Makes Non-malleable Codes Stronger

Non-malleable codes (NMCs), introduced by Dziembowski et al. [DPW10], provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. NMCs have emerged as a fundamental object at the intersection of coding theory and cryptography.

A New Public-Key Cryptosystem via Mersenne Numbers

In this work, we propose a new public-key cryptosystem whose security is based on the computational intractability of the following problem: Given a Mersenne number \(p = 2^n - 1\), where n is a prime, a positive integer h, and two n-bit integers T, R, decide whether their exist n-bit integers F, G each of Hamming weight less than h such that \(T = F\cdot R + G\) modulo p.

Affine-malleable extractors, spectrum doubling, and application to privacy amplification

The study of seeded randomness extractors is a major line of research in theoretical computer science. The goal is to construct deterministic algorithms which can take a “weak” random source X with min-entropy k and a uniformly random seed Y of length d, and outputs a string of length close to k that is close to uniform and independent of Y. Dodis and Wichs [DW09] introduced a generalization of randomness extractors called non-malleable extractors (nmExt) where nmExt(X, Y) is close to uniform and independent of Y and nmExt(X, f(Y)) for any function f with no fixed points. We relax the notion of a non-malleable extractor and introduce what we call an affine-malleable extractor (AmExt : Fn x Fd → F) where AmExt(X, Y ) is close to uniform and independent of Y and has some limited dependence of AmExt(X, f(Y )) - that conditioned on Y , (AmExt(X, Y ), AmExt(X, f(Y ))) is ε-close to (U, A · U + B) where U is uniformly distributed in F and A, B E F are random variables independent of U. We show that the inner-product function (·, ·) : Fn×Fn → F is an affine-malleable extractor for min-entropy k = n/2 + Ω(log(1/ε)). Moreover, under a plausible conjecture in additive combinatorics (called the Spectrum Doubling Conjecture), we show that this holds for k = Ω(log n log(1/ε)). As a modest justification of the conjecture, we show that a weaker version of the conjecture is implied by the widely believed Polynomial Freiman-Ruzsa conjecture. We also study the classical problem of privacy amplification, where two parties Alice and Bob share a weak secret X of min-entropy k, and wish to agree on secret key R of length m over a public communication channel completely controlled by a computationally unbounded attacker Eve. The main application of non-malleable extractors and their many variants has been in constructing secure privacy amplification protocols. We show that affine-malleable extractors along with affine-evasive sets can also be used to construct efficient privacy amplification protocols. This gives a much simpler protocol for min-entropy k = n/2 + Ω(log(1/ε)), and additionally, under the Spectrum Doubling Conjecture, achieves near optimal parameters and achieves additional security properties like source privacy that have been the focus of some recent results in privacy amplification.

Amplifying Privacy in Privacy Amplification

We study the classical problem of privacy amplification, where two parties Alice and Bob share a weak secret X of min-entropy k, and wish to agree on secret key R of length m over a public communication channel completely controlled by a computationally unbounded attacker Eve.