Really excited that State Proofs are live on
@Algorand
MainNet!
This is a major accomplishment across the cryptography research, engineering, and product teams. Great work by all—and this is just the beginning!
1/ Major Protocol Upgrade: Now live on
#Algorand
MainNet, the release introduces State Proofs for trustless cross-chain communication and 5x faster performance 👉
Feel like it’s being lost that he has *already ordered* the *actual displacement* of more than 59,000 people who:
— are already here legally,
— for an average of 13 years,
— with >27k US-citizen children,
back to “shithole countries.”
We are thrilled to welcome
@ChrisPeikert
to the Algorand team as our Head of Cryptography! A world leader in lattice-based and post-quantum
#cryptography
, he will be advancing several projects that further improve Algorand’s functionality and performance:
💥New short paper with Yi Tang:
We 𝒄𝒐𝒎𝒑𝒍𝒆𝒕𝒆𝒍𝒚 𝒃𝒓𝒆𝒂𝒌 the assumption underlying the lattice-based "proof of sequential work" candidate from CRYPTO'23.
This solves a problem that was conjectured to require depth T... in depth poly(log T).
New result with my student Sina Shiehian:
LWE => NP ⊆ NIZK
It's exciting to finally have closure on this problem, after being tormented by it for (yikes!) 12+ years.
This is a very exciting honor! Thanks to all who found this work useful and built upon it.
(The only downside: being old enough to be eligible...)
Here is a little behind-the-scenes story from my foggy memory... /1
A big congrats to Prof.
@ChrisPeikert
on his receipt of the Crypto 2023 Test-of-Time Award! The award, given by
@IACR_News
, recognizes the lasting influence of his research on oblivious transfer protocols and lattice-based encryption. >>
New paper, with
@huckbennett
: a much simpler proof that the Shortest Vector Problem on lattices is NP-hard (via a randomized reduction).
tl;dr: Reed-Solomon codes very easily give "locally dense lattices," the key gadgets enabling hardness proofs.
Chen’s paper has a bug, independently discovered by Hongxun Weng and Thomas Vidick, that he doesn’t know how to fix. If I understand correctly, in its current form the paper doesn’t yield any improvement on prior algorithms.
@mjos_crypto
@Mark_Schultz
For the record: we did consider this very attack.
Indeed, we systematically analyzed a *strictly better* attack in a (quite attacker-friendly) quantum time*memory metric. See Section 1.2 of our paper:
1/ Since people are wondering about : the central claims are incorrect. Indeed, we can even prove that the entire approach cannot possibly work against the targeted Ring-LWE parameters.
Can anyone (e.g.,
@ChrisPeikert
) comment on this? Is it correct? Does it impact candidate constructions? Cryptology ePrint Archive: Report 2021/418 - Ring-LWE over two-to-power cyclotomics is not hard
An analogy: if you randomly scramble a Rubik's cube, it will very likely be hard for a novice to solve.
Rubik's cube has "average-case hardness" (against non-experts, anyway).
Wondering about "An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor"?
Some good sources on our developing understanding:
“There is nothing so practical as a good theory” -Lewin
Last week, NIST announced post-quantum cryptography standards—and 3/4 of the selections are based on lattices! 🥳
Here's how 20+ years of theoretical work has heavily influenced these systems... 🧵
New paper w/ Jaiyu Xu, to appear at CT-RSA:
We show that Elliptic Curve Verifiable Random Function (ECVRF) has some quantum security—e.g., for proofs of correct evaluation.
But EC discrete log is broken by quantum (thx Shor!), so how can this be?? 🧵
When I was a grad student, I would routinely send my advisor long emails declaring that I had solved a problem, and then it would turn out that I added 2+2=5 and everything was broken, and I'd be super embarrassed about it
covid-19 homeschooling day 1 report:
* surprising levels of resistance to emacs drills. seeking a better showcase than sql-mode
* positive response to lambda calculus—untyped, of course (for now)
* elliptic curves preferred over lattices. probably just the "terrible twos"
‼️ New paper w/ Leo de Castro:
We construct the first functional commitment scheme for *all functions*, under a standard setup ("transparent") and falsifiable assumption (SIS).
Bonus: stateless updates, asymptotic efficiency, and post-quantum security!
@Axetrax22
@mjos_crypto
@Mark_Schultz
Yes, we first considered the above-described attack (which is well known). Our paper analyzes an even better (quantum) attack. Yes, the yottabyte statement is accurate—indeed, the actual memory requirements turn out to be even greater.
Our paper “ALCHEMY: A Language and Compiler for Homomorphic Encryption Made easY” (w/ Eric Crockett and Chad Sharp) was accepted to
#CCS18
!
Stay tuned for the paper and code...
I choose a random line with my secret as the slope, and give you a “magic box” that hides the line, but lets you check whether any given point is on the line.
You choose a random X. I give you the point on the line with that X-coordinate. You check it using the magic box.
Fortunately, I don’t know of any deployments of this system (or advanced plans for such).
This shows, once again, how important cryptanalytic scrutiny is. SIDH saw essentially no improvement in attacks over ~12 years, and now appears to be totally broken. Amazing!
@EliBenSasson
All I can say for now is that it needs to be carefully understood and checked for correctness. I don’t know if anyone has done this yet (apart from the author of course).
Why is this useful?
For applications like committee selection (e.g., in
@Algorand
), ECVRF outputs only need to look random in the "medium term," during a key's active lifetime.
A far-off quantum attack that predicts outputs for an expired key isn't a threat.
ICYMI: the German BSI recommended FrodoKEM for post-quantum key exchange:
It has also just released a report providing an overview of quantum-safe cryptography, available here:
Introducing QuantUM*Lot, a new parking lot that will harness the power of
#quantum
mechanics to exponentially increase parking capacity at the upcoming Leinweber Building.
@UMengineering
@harryhalpin
Dual EC came "out of nowhere" with obvious NOBUS backdoor-ability.
Kyber came from a public process and has an explicit anti-backdoor design ("against all authority").
I am *all* for close scrutiny, but let's have a plausible theory, not just inapt analogies and hand-waving.
Can’t overstate our excitement that the amazing Nikhil Bansal is joining Michigan’s theory group
@UMichCSE
, as the Fischer Chair of theoretical computer science!
Among everything else, it’s especially exciting to see GPV’08-style digital signatures go from theory to practical standard (Falcon).
Congratulations to all!
Here's our new paper, with the terrific
@huckbennett
and Yi Tang, on improved fine-grained hardness of the (approximate) Shortest Vector Problem and Bounded Distance Decoding on lattices.
In one week, my PhD student Navid Alamati will defend his thesis, which asks the natural question:
What do we get when we endow generic "minicrypt" primitives with homomorphisms?
The answers will surprise and delight you!
Link:
I’m a broken record on this point, but here is another example why worst-case hardness—like for LWE and SIS—is so important.
We humans just aren’t very good at inventing ad-hoc, average-case lattice problems that are anywhere near as hard as we wish them to be.
CRYPTO 1986: advancing science but not technology.
Papers with titles like “How to Prove all NP-statements in Zero-Knowledge,” and “Towards a Theory of Software Protection.”
CRYPTO 2018: advancing science but not technology
* have papers with titles like "Adaptive Garbled RAM from Laconic Oblivious Transfer"
* links papers to $30-per-PDF paywall, can't even put rump session slides online after 3 days
In cryptography, worst-case hardness doesn't suffice:
the mere *existence* of hard-to-break keys, ciphertexts, etc. doesn't help, if a cryptosystem doesn't actually produce them!
Instead, we need average-case hardness: it should be hard to break the system's random outputs.
Computer Science and Engineering at the University of Michigan invites applications for multiple tenure-track and teaching faculty (lecturer) positions.
Apply here (and spread the word!):
@Coop_Daniels
One of the few extant NIST PQC proposals—not yet selected for standardization, but advanced to the 4th round—just went from "no attack progress for ~12 years" to "totally broken."
New paper w/ Zachary Pepin:
We unify, and simplify reductions among, algebraic Learning With Errors problems like Ring, Module, Polynomial, Order, and Middle-Product LWE.
Highlight: simple reduction from LWE over many rings to a single M[P]-LWE problem.
Happy
#NationalMichiganDay
to all who celebrate!
DYK?: Michigan has the most shoreline of any state in the contiguous ("lower 48") United States. Only Alaska has more!
This post does some great archaeology on Dilithium signatures… painstakingly digging through the layers from the perspective of a classical cryptographer, to better understand the curious artifacts of this strange lattice-based civilization…
Cryptographers! I’m seeking examples where:
a poly-time-loose but “advantage-tight” reduction
was used to justify the security of a serious proposal
but concealed a significant security gap that was discovered later.
(We have several big examples for adv-*loose* reductions.)
LaTeX protip: use \autoref (from hyperref package) instead of \ref to automatically put an appropriate prefix—"Section," "Definition," "Theorem," etc.—before the number.
(The prefix becomes part of the hyperlink, too!)
A Ph.D. student collaborator of mine with a degree in CS just asked me what emacs is and I nearly fell out of my chair. I have never felt so old in my life! I still have tears in my eyes. 😭😂
It was great to be back to Atlanta and Georgia Tech to give the invited talk at
#PKC2023
, on "Unexpected Applications of Fully Homomorphic Encryption."
Please enjoy the slides and video!
This season, Computer Science and Engineering at Michigan has multiple tenure-track positions in all areas, including theory/crypto/security. Please apply and spread the word!
18/ For cryptanalysis, people usually model LWR as if the errors are random—uniform over an interval, say—but this is just a heuristic that "assumes away" any potential LWE/LWR distinction.
Can attacks meaningfully exploit the deterministic errors? More specifically:
Recent days—and especially tonight—have vividly revealed an outpouring of pain and frustration that all of us in CSE need to hear.
Above all: it’s clear that those who have been harassed, abused, or otherwise harmed deserve much better.
Told my crypto class today about the devastating new “frail loops” attack that totally breaks all widely used ciphers.
With the course material now obsolete, it won’t count for upper-level elective credit anymore. Still three weeks to join and catch up to another ULE, though...
Feed your craving with these more recent talks:
@IACR_News
YouTube channel:
and many more
Crypto Innovation School 2019 on lattices (videos coming soon):
@ChrisPeikert
Just spent the last 24 hours watching and reading everything I can on Lattice Crypto and I'm obsessed. A lot of the stuff I've found are talks given in 2016; do you know of anything that talks about where we're at today, in 2020? I'd love to get involved somehow.
Big congrats to new CSE professor Mahdi for a great job teaching undergrad crypto—and outdoing my own ratings on the first try, no I’m not mad about that why would you think I’m mad that’s nothing to be mad ab
20/ Are there any special "bad interactions" between rings and rounding (RLWR)?
Given the prominence of RLWR in
#NISTPQC
and the relative lack of cryptanalysis especially devoted to it so far, these (and others like them) are important questions deserving more attention.
/fin
That single point I gave you reveals nothing about the line’s slope (my secret).
My ability to give you two or more points on the line (with different X-coordinates) means I know the line, and in particular its slope.
The first paper shows how to prove any “provable” statement in zero knowledge, now a foundation of privacy tech like Zcash.
The second anticipates Oblivious RAM, now widely prototyped for remote storage and computation.