Chris Peikert
@ChrisPeikert
Followers
5,583
Following
59
Media
111
Statuses
1,939
Cryptographer (lattices/post-quantum), Professor @UMichCSE , Head of Cryptography @Algorand , PhD @MIT_CSAIL . Previously @gatech_scs . Here I speak for myself.
Ann Arbor, MI
Joined April 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#BUS_KnockKnockKnock_KhonKaen
• 1249980 Tweets
スプリンターズS
• 85794 Tweets
CRかるび
• 47226 Tweets
WIN AT TODAY SHOW
• 42225 Tweets
スプリンターズステークス
• 34627 Tweets
ナムラクレア
• 25463 Tweets
三原じゅん子
• 22283 Tweets
REBECCA SUPPORTING ACTRESS
• 20328 Tweets
西村騎手
• 19965 Tweets
サトノレーヴ
• 19405 Tweets
ママコチャ
• 19019 Tweets
西村淳也
• 17339 Tweets
YINWAR x VIF x TOPS
• 15792 Tweets
#njdest
• 15768 Tweets
#相葉マナブ
• 15252 Tweets
ドゥラメンテ
• 14865 Tweets
マッドクール
• 14192 Tweets
ピューロマジック
• 10503 Tweets
Pinned Tweet
Looking to learn about lattice-based cryptography? Check out my tutorial and survey:
12
85
280
Really excited that State Proofs are live on
@Algorand
MainNet!
This is a major accomplishment across the cryptography research, engineering, and product teams. Great work by all—and this is just the beginning!
11
54
306
Feel like it’s being lost that he has *already ordered* the *actual displacement* of more than 59,000 people who:
— are already here legally,
— for an average of 13 years,
— with >27k US-citizen children,
back to “shithole countries.”
4
130
285
Some personal news: I’m very excited to join
@Algorand
!
We’ll be looking to hire more great postdocs/interns/cryptographers soon. Stay tuned...
We are thrilled to welcome
@ChrisPeikert
to the Algorand team as our Head of Cryptography! A world leader in lattice-based and post-quantum
#cryptography
, he will be advancing several projects that further improve Algorand’s functionality and performance:
13
54
276
24
27
268
💥New short paper with Yi Tang:
We 𝒄𝒐𝒎𝒑𝒍𝒆𝒕𝒆𝒍𝒚 𝒃𝒓𝒆𝒂𝒌 the assumption underlying the lattice-based "proof of sequential work" candidate from CRYPTO'23.
This solves a problem that was conjectured to require depth T... in depth poly(log T).
7
43
202
New result with my student Sina Shiehian:
LWE => NP ⊆ NIZK
It's exciting to finally have closure on this problem, after being tormented by it for (yikes!) 12+ years.
8
57
187
This is a very exciting honor! Thanks to all who found this work useful and built upon it.
(The only downside: being old enough to be eligible...)
Here is a little behind-the-scenes story from my foggy memory... /1
A big congrats to Prof.
@ChrisPeikert
on his receipt of the Crypto 2023 Test-of-Time Award! The award, given by
@IACR_News
, recognizes the lasting influence of his research on oblivious transfer protocols and lattice-based encryption. >>
4
19
109
10
26
184
New paper, with
@huckbennett
: a much simpler proof that the Shortest Vector Problem on lattices is NP-hard (via a randomized reduction).
tl;dr: Reed-Solomon codes very easily give "locally dense lattices," the key gadgets enabling hardness proofs.
2
33
160
Any serious attempt to attack lattices/LWE that doesn’t change the status quo should increase our confidence in their security.
Chen’s paper has a bug, independently discovered by Hongxun Weng and Thomas Vidick, that he doesn’t know how to fix. If I understand correctly, in its current form the paper doesn’t yield any improvement on prior algorithms.
8
69
268
3
32
162
@mjos_crypto
@Mark_Schultz
For the record: we did consider this very attack.
Indeed, we systematically analyzed a *strictly better* attack in a (quite attacker-friendly) quantum time*memory metric. See Section 1.2 of our paper:
5
31
134
1/ Since people are wondering about : the central claims are incorrect. Indeed, we can even prove that the entire approach cannot possibly work against the targeted Ring-LWE parameters.
Can anyone (e.g.,
@ChrisPeikert
) comment on this? Is it correct? Does it impact candidate constructions? Cryptology ePrint Archive: Report 2021/418 - Ring-LWE over two-to-power cyclotomics is not hard
4
2
21
1
46
112
06 22 21 not prime
22 06 21 not prime
06 22 2021 not prime
22 06 2021 not prime
You've got a lot of nerve calling it Prime Day,
@amazon
.
3
14
109
An analogy: if you randomly scramble a Rubik's cube, it will very likely be hard for a novice to solve.
Rubik's cube has "average-case hardness" (against non-experts, anyway).
1
12
110
Wondering about "An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor"?
Some good sources on our developing understanding:
2
40
109
“There is nothing so practical as a good theory” -Lewin
Last week, NIST announced post-quantum cryptography standards—and 3/4 of the selections are based on lattices! 🥳
Here's how 20+ years of theoretical work has heavily influenced these systems... 🧵
4
38
107
@matthew_d_green
“I’m in!”
“You cracked the encryption key?!”
“I looked up the target’s password on .”
4
8
105
New paper w/ Jaiyu Xu, to appear at CT-RSA:
We show that Elliptic Curve Verifiable Random Function (ECVRF) has some quantum security—e.g., for proofs of correct evaluation.
But EC discrete log is broken by quantum (thx Shor!), so how can this be?? 🧵
2
23
105
Roses are red
Of this I am sure
My love for you
Is post-quantum secure
Roses are red
Violets are Blue
Feelings in my head
Are stronger than CCA2
1
5
21
3
19
102
List of CRYPTO’21 accepted papers:
2
37
97
Good morning to anyone interested in the early history of (Ring-)LWE key exchange and public-key encryption!
Diffie-Hellman/ElGamal-style key exchange and encryption from (Ring-)LWE.
#picsoritdidnthappen
(From talks at TCC 2009 and EUROCRYPT 2010 )
1
1
31
7
28
98
a student in my class called the Cramer-Shoup cryptosystem a “shouped-up ElGamal” and hey buddy I tell the dad jokes here
1
8
94
Why wasn’t the pirate interviewed about finding the fastest route through all the seaports?
It was NP-arrrrrrrrrd.
11
16
95
Same here, but times have changed. Now I send those emails to my students.
When I was a grad student, I would routinely send my advisor long emails declaring that I had solved a problem, and then it would turn out that I added 2+2=5 and everything was broken, and I'd be super embarrassed about it
8
43
583
3
3
83
covid-19 homeschooling day 1 report:
* surprising levels of resistance to emacs drills. seeking a better showcase than sql-mode
* positive response to lambda calculus—untyped, of course (for now)
* elliptic curves preferred over lattices. probably just the "terrible twos"
2
8
83
‼️ New paper w/ Leo de Castro:
We construct the first functional commitment scheme for *all functions*, under a standard setup ("transparent") and falsifiable assumption (SIS).
Bonus: stateless updates, asymptotic efficiency, and post-quantum security!
1
12
79
🟧⬛️⬛️🟩⬛️
🟩⬛️🟩🟩🟩
⬛️🟩⬛️🟩🟩
🟩⬛️🟩⬛️🟩
🟩🟩⬛️🟩🟩
🟩🟩🟩⬛️🟩
Not Wordle, just the Sieve of Eratosthenes…
3
7
81
@Axetrax22
@mjos_crypto
@Mark_Schultz
Yes, we first considered the above-described attack (which is well known). Our paper analyzes an even better (quantum) attack. Yes, the yottabyte statement is accurate—indeed, the actual memory requirements turn out to be even greater.
3
14
77
Our paper “ALCHEMY: A Language and Compiler for Homomorphic Encryption Made easY” (w/ Eric Crockett and Chad Sharp) was accepted to
#CCS18
!
Stay tuned for the paper and code...
1
16
68
I choose a random line with my secret as the slope, and give you a “magic box” that hides the line, but lets you check whether any given point is on the line.
You choose a random X. I give you the point on the line with that X-coordinate. You check it using the magic box.
In two tweets or less, explain the design rationale of the Schnorr ID scheme.
19
2
31
1
9
71
Wow,
@UMichCSE
's recent faculty hires are on 🔥🔥!
They got 7⃣—count 'em, seven!—NSF CAREER awards this cycle.
Big congratulations to
@mahdi_tcs
,
@royaensafi
,
@pag_crypto
, Euiwoong Lee,
@neurocy
,
@eig
, and
@xwangsd
.
0
9
67
🚨 NEW PAPER cryptanalyzing CSIDH using Kuperberg's quantum "collimation sieve."
Bottom line: CSIDH-512 key recovery with only, e.g., ~2^16 quantum group-action evaluations and ~2^40 q-accessible classical memory.
Paper:
Code:
3
17
65
Lesson learned: even a perfectly compliant implementation can be hazardous, if the policy is wrong.
From now on, I insist on trick xor treat.
1
8
58
All the great questions and ideas from the
#QIP2022
attendees made this especially fun and energizing!
Here are the slides:
Great tutorial on post-quantum cryptography by Chris Peikert
@ChrisPeikert
at
#QIP2022
!
would be great to have these slides for future reference...
2
2
29
1
13
59
Fortunately, I don’t know of any deployments of this system (or advanced plans for such).
This shows, once again, how important cryptanalytic scrutiny is. SIDH saw essentially no improvement in attacks over ~12 years, and now appears to be totally broken. Amazing!
4
11
57
@EliBenSasson
All I can say for now is that it needs to be carefully understood and checked for correctness. I don’t know if anyone has done this yet (apart from the author of course).
3
9
58
Why is this useful?
For applications like committee selection (e.g., in
@Algorand
), ECVRF outputs only need to look random in the "medium term," during a key's active lifetime.
A far-off quantum attack that predicts outputs for an expired key isn't a threat.
1
10
55
ICYMI: the German BSI recommended FrodoKEM for post-quantum key exchange:
It has also just released a report providing an overview of quantum-safe cryptography, available here:
1
23
55
an RV that goes from state to state is, in essence, just a touring machine
1
4
51
Very excited that we can finally announce this project today!
Introducing QuantUM*Lot, a new parking lot that will harness the power of
#quantum
mechanics to exponentially increase parking capacity at the upcoming Leinweber Building.
@UMengineering
1
8
41
3
10
51
🎶all the ring lattices
(all the ring lattices)🎶
are solved by the worst-case/average-case reduction to Ring-LWE
3
11
48
@harryhalpin
Dual EC came "out of nowhere" with obvious NOBUS backdoor-ability.
Kyber came from a public process and has an explicit anti-backdoor design ("against all authority").
I am *all* for close scrutiny, but let's have a plausible theory, not just inapt analogies and hand-waving.
2
6
50
Can’t overstate our excitement that the amazing Nikhil Bansal is joining Michigan’s theory group
@UMichCSE
, as the Fischer Chair of theoretical computer science!
1
3
49
Congratulations to Oded Regev, winner of the 2018 Gödel Prize for his brilliant paper introducing Learning With Errors (LWE)!
0
23
47
Among everything else, it’s especially exciting to see GPV’08-style digital signatures go from theory to practical standard (Falcon).
Congratulations to all!
NIST PQC Algorithms to be Standardized:
Public-Key Encryption/KEMs
- CRYSTALS-KYBER
Digital Signatures
- CRYSTALS-Dilithium
- Falcon
- SPHINCS+
2
55
166
1
6
46
describe your favorite crypto result, as boring as possible
66
13
46
Our old lattice-based hash function code could possibly be set up with continuous integration, but we’d have to tailor SWIFFT to Travis.
2
5
44
Crypto 2021 begins online in just six days!
Just look at this tremendous program:
1
7
44
Here's our new paper, with the terrific
@huckbennett
and Yi Tang, on improved fine-grained hardness of the (approximate) Shortest Vector Problem and Bounded Distance Decoding on lattices.
2
3
40
FrodoKEM has been selected for
#NISTPQC
Round 3, along with several other lattice-based cryptosystems.
1
1
39
Seems like a good time to re-up this, which, to be perfectly clear, is solely about cryptography.
In cryptography we often posit that an adversary is not controlling a majority of players. What if it is?
4
6
14
4
26
39
In one week, my PhD student Navid Alamati will defend his thesis, which asks the natural question:
What do we get when we endow generic "minicrypt" primitives with homomorphisms?
The answers will surprise and delight you!
Link:
2
4
39
I’m a broken record on this point, but here is another example why worst-case hardness—like for LWE and SIS—is so important.
We humans just aren’t very good at inventing ad-hoc, average-case lattice problems that are anywhere near as hard as we wish them to be.
1
8
38
A useful fact about Ring-LWE that should be known better: it is *at least as hard* to break as NTRU, and likely strictly harder. 1/
2
19
35
using a lot of electricity we can agree how much money we have
0
0
38
CRYPTO 1986: advancing science but not technology.
Papers with titles like “How to Prove all NP-statements in Zero-Knowledge,” and “Towards a Theory of Software Protection.”
CRYPTO 2018: advancing science but not technology
* have papers with titles like "Adaptive Garbled RAM from Laconic Oblivious Transfer"
* links papers to $30-per-PDF paywall, can't even put rump session slides online after 3 days
6
9
34
2
10
37
In cryptography, worst-case hardness doesn't suffice:
the mere *existence* of hard-to-break keys, ciphertexts, etc. doesn't help, if a cryptosystem doesn't actually produce them!
Instead, we need average-case hardness: it should be hard to break the system's random outputs.
1
1
36
I always enjoy re-reading
@veorq
’s “Too Much Crypto”, especially these parts (from Sections 4.2 and 4.4).
0
1
34
Computer Science and Engineering at the University of Michigan invites applications for multiple tenure-track and teaching faculty (lecturer) positions.
Apply here (and spread the word!):
0
17
35
@Coop_Daniels
One of the few extant NIST PQC proposals—not yet selected for standardization, but advanced to the 4th round—just went from "no attack progress for ~12 years" to "totally broken."
1
5
35
New paper w/ Zachary Pepin:
We unify, and simplify reductions among, algebraic Learning With Errors problems like Ring, Module, Polynomial, Order, and Middle-Product LWE.
Highlight: simple reduction from LWE over many rings to a single M[P]-LWE problem.
2
8
33
On December 11 (9am Eastern, 2pm London) I’ll be speaking at the lattice coding & crypto meeting, about algebraically structured LWE. Check it out!
0
8
34
Happy
#NationalMichiganDay
to all who celebrate!
DYK?: Michigan has the most shoreline of any state in the contiguous ("lower 48") United States. Only Alaska has more!
1
7
33
11th circle: those who patent other people's crypto.
Fun fact: orig manuscript of Dante's Inferno had a 10th circle of hell, reserved for thOSE WHO PATENT CRYPTO BECAUSE WHY WOULD YOU DO THAT
7
156
380
0
12
30
This post does some great archaeology on Dilithium signatures… painstakingly digging through the layers from the perspective of a classical cryptographer, to better understand the curious artifacts of this strange lattice-based civilization…
I wrote a second, long (wonky) post on Schnorr signatures, diving into the Dilithium PQC signature scheme.
3
26
93
1
5
29
Cryptographers! I’m seeking examples where:
a poly-time-loose but “advantage-tight” reduction
was used to justify the security of a serious proposal
but concealed a significant security gap that was discovered later.
(We have several big examples for adv-*loose* reductions.)
6
11
27
Diffie-Hellman/ElGamal-style key exchange and encryption from (Ring-)LWE.
#picsoritdidnthappen
(From talks at TCC 2009 and EUROCRYPT 2010 )
1
1
31
LaTeX protip: use \autoref (from hyperref package) instead of \ref to automatically put an appropriate prefix—"Section," "Definition," "Theorem," etc.—before the number.
(The prefix becomes part of the hyperlink, too!)
3
7
32
I have emacs config files older than some of my Ph.D. students… 👴 M-x send-tweet
A Ph.D. student collaborator of mine with a degree in CS just asked me what emacs is and I nearly fell out of my chair. I have never felt so old in my life! I still have tears in my eyes. 😭😂
27
7
283
0
0
29
It was great to be back to Atlanta and Georgia Tech to give the invited talk at
#PKC2023
, on "Unexpected Applications of Fully Homomorphic Encryption."
Please enjoy the slides and video!
2
8
29
This season, Computer Science and Engineering at Michigan has multiple tenure-track positions in all areas, including theory/crypto/security. Please apply and spread the word!
0
22
30
Come do exciting cryptography with the awesome team at Algorand!
1
4
29
ICYMI: here are some important cryptanalytic questions about Learning With Rounding (LWR) that haven’t received enough attention.
18/ For cryptanalysis, people usually model LWR as if the errors are random—uniform over an interval, say—but this is just a heuristic that "assumes away" any potential LWE/LWR distinction.
Can attacks meaningfully exploit the deterministic errors? More specifically:
1
1
10
1
7
30
An optimistic cryptographer sees the glass as 1/poly(lambda) full.
3
4
30
Recent days—and especially tonight—have vividly revealed an outpouring of pain and frustration that all of us in CSE need to hear.
Above all: it’s clear that those who have been harassed, abused, or otherwise harmed deserve much better.
2
2
29
Told my crypto class today about the devastating new “frail loops” attack that totally breaks all widely used ciphers.
With the course material now obsolete, it won’t count for upper-level elective credit anymore. Still three weeks to join and catch up to another ULE, though...
1
2
29
Feed your craving with these more recent talks:
@IACR_News
YouTube channel:
and many more
Crypto Innovation School 2019 on lattices (videos coming soon):
@ChrisPeikert
Just spent the last 24 hours watching and reading everything I can on Lattice Crypto and I'm obsessed. A lot of the stuff I've found are talks given in 2016; do you know of anything that talks about where we're at today, in 2020? I'd love to get involved somehow.
0
0
1
0
11
29
I've just been informed that it’s the 21st minute of the 21st hour of the 21st day of the 21st year of the 21st century.
7
0
28
Here’s Sina Shiehian kicking off
#Crypto2019
talking about our work on NIZK for any NP language from LWE.
0
4
28
Big congrats to new CSE professor Mahdi for a great job teaching undergrad crypto—and outdoing my own ratings on the first try, no I’m not mad about that why would you think I’m mad that’s nothing to be mad ab
3
1
28
ICYMI: the (tentative) program for CRYPTO'21, August 16-20, is now available.
1
8
28
FrodoKEM has been officially approved for the first round of NIST's post-quantum cryptography effort!
0
9
28
20/ Are there any special "bad interactions" between rings and rounding (RLWR)?
Given the prominence of RLWR in
#NISTPQC
and the relative lack of cryptanalysis especially devoted to it so far, these (and others like them) are important questions deserving more attention.
/fin
3
1
28
That single point I gave you reveals nothing about the line’s slope (my secret).
My ability to give you two or more points on the line (with different X-coordinates) means I know the line, and in particular its slope.
3
1
27
‼️😲‼️
#ePrint
Factoring and Pairings are not Necessary for iO: Circular-Secure LWE Suffices: Z Brakerski, N Döttling, S Garg, G Malavolta
0
15
41
3
11
27
The first paper shows how to prove any “provable” statement in zero knowledge, now a foundation of privacy tech like Zcash.
The second anticipates Oblivious RAM, now widely prototyped for remote storage and computation.
3
3
27