This document provides a short review of the NTRU cryptosystem. It begins with an outline introducing NTRU lattice, NTRUEncrypt, pqNTRUSign, and the conclusion. It then discusses why lattice-based cryptography is important, particularly with the threat of quantum computers. It provides background on lattice cryptography and the NTRU lattice, describing the NTRU ring and the NTRU assumption. The document focuses on introducing the key concepts behind the NTRU cryptosystem in under 3 sentences.
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
This document discusses ring-based homomorphic encryption schemes and compares the efficiency of four schemes: BGV, FV, NTRU, and YASHE. The schemes are analyzed by measuring ciphertext size under varying parameters like plaintext modulus size and circuit depth. For small plaintext sizes, YASHE is most efficient, but BGV generally performs best as plaintext size increases. The analysis provides a starting point for comparing ring-based schemes but could be improved with a stricter security analysis.
Fully Homomorphic Encryption allows computations to be carried out on encrypted data without decrypting it. It solves the problem of secure cloud computing by allowing a client to encrypt data and outsource storage and processing to an untrusted server. The presentation discusses additive and multiplicative homomorphic encryption schemes, including ElGamal and RSA. It also covers bootstrapping and applications to image processing tasks like resizing, compression, and decompression on encrypted images. A demonstration of these techniques is shown using the Pyfhel library. While promising for security, fully homomorphic encryption remains computationally expensive.
An introduction to lattice-based cryptographyThijs Laarhoven
Due to the imminent threat of quantum computers, which may break all currently deployed cryptographic schemes in the near future, research in the field of cryptography has increasingly shifted to "post-quantum" cryptographic primitives, which attempt to offer security even in the age of large-scale quantum computers. Lattice-based solutions are leading candidates among post-quantum cryptosystems, due to their efficiency, versatility, and simplicity. These slides explain the basic ideas behind lattice-based cryptography, using visuals whenever possible for ease of understanding.
This document discusses homomorphic encryption and its applications in cloud computing. It begins by defining cloud computing and encryption. Homomorphic encryption allows computations to be performed on encrypted data without decrypting it first. This allows a third party like a cloud provider to process data while maintaining its confidentiality. The document outlines partially homomorphic encryption schemes like RSA that support only some operations, and fully homomorphic encryption that supports any computation. Potential applications of homomorphic encryption include online voting systems, encrypted data analytics, and encrypted database queries. In conclusion, homomorphic encryption enables secure computation on encrypted data and enhances privacy in cloud computing.
Survey on Deep Neural Network Watermarking techniquesPrincy Joy
The document summarizes recent research on watermarking techniques for deep neural networks (DNNs). It discusses why DNN watermarking is needed to protect models from unauthorized use. Methods are categorized based on whether they embed watermarks in weights (static) or activations (dynamic), use white-box or black-box extraction, and transmit multi-bit or zero-bit messages. Requirements for watermarking algorithms like robustness, fidelity and a tradeoff triangle are presented. Several static and dynamic watermarking algorithms are described and compared in terms of methodology, robustness, and security against attacks like fine-tuning or overwriting. The conclusion states that while DNN watermarking faces challenges, it provides important protection for
Homomorphic encryption allows computations to be performed on encrypted data without decrypting it first. This document discusses homomorphic encryption techniques including partially homomorphic encryptions that support either addition or multiplication operations, and fully homomorphic encryption introduced by Craig Gentry that supports both types of operations. It also covers the use of ideal lattices in lattice-based cryptosystems and the bootstrapping technique used to "refresh" ciphertexts and prevent noise from accumulating during homomorphic computations.
What is Soft Computing ? Difference between Soft Computing and Hard Computing. Classical Sets ,operations on classical sets ,Properties of classical sets
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
This document discusses ring-based homomorphic encryption schemes and compares the efficiency of four schemes: BGV, FV, NTRU, and YASHE. The schemes are analyzed by measuring ciphertext size under varying parameters like plaintext modulus size and circuit depth. For small plaintext sizes, YASHE is most efficient, but BGV generally performs best as plaintext size increases. The analysis provides a starting point for comparing ring-based schemes but could be improved with a stricter security analysis.
Fully Homomorphic Encryption allows computations to be carried out on encrypted data without decrypting it. It solves the problem of secure cloud computing by allowing a client to encrypt data and outsource storage and processing to an untrusted server. The presentation discusses additive and multiplicative homomorphic encryption schemes, including ElGamal and RSA. It also covers bootstrapping and applications to image processing tasks like resizing, compression, and decompression on encrypted images. A demonstration of these techniques is shown using the Pyfhel library. While promising for security, fully homomorphic encryption remains computationally expensive.
An introduction to lattice-based cryptographyThijs Laarhoven
Due to the imminent threat of quantum computers, which may break all currently deployed cryptographic schemes in the near future, research in the field of cryptography has increasingly shifted to "post-quantum" cryptographic primitives, which attempt to offer security even in the age of large-scale quantum computers. Lattice-based solutions are leading candidates among post-quantum cryptosystems, due to their efficiency, versatility, and simplicity. These slides explain the basic ideas behind lattice-based cryptography, using visuals whenever possible for ease of understanding.
This document discusses homomorphic encryption and its applications in cloud computing. It begins by defining cloud computing and encryption. Homomorphic encryption allows computations to be performed on encrypted data without decrypting it first. This allows a third party like a cloud provider to process data while maintaining its confidentiality. The document outlines partially homomorphic encryption schemes like RSA that support only some operations, and fully homomorphic encryption that supports any computation. Potential applications of homomorphic encryption include online voting systems, encrypted data analytics, and encrypted database queries. In conclusion, homomorphic encryption enables secure computation on encrypted data and enhances privacy in cloud computing.
Survey on Deep Neural Network Watermarking techniquesPrincy Joy
The document summarizes recent research on watermarking techniques for deep neural networks (DNNs). It discusses why DNN watermarking is needed to protect models from unauthorized use. Methods are categorized based on whether they embed watermarks in weights (static) or activations (dynamic), use white-box or black-box extraction, and transmit multi-bit or zero-bit messages. Requirements for watermarking algorithms like robustness, fidelity and a tradeoff triangle are presented. Several static and dynamic watermarking algorithms are described and compared in terms of methodology, robustness, and security against attacks like fine-tuning or overwriting. The conclusion states that while DNN watermarking faces challenges, it provides important protection for
Homomorphic encryption allows computations to be performed on encrypted data without decrypting it first. This document discusses homomorphic encryption techniques including partially homomorphic encryptions that support either addition or multiplication operations, and fully homomorphic encryption introduced by Craig Gentry that supports both types of operations. It also covers the use of ideal lattices in lattice-based cryptosystems and the bootstrapping technique used to "refresh" ciphertexts and prevent noise from accumulating during homomorphic computations.
What is Soft Computing ? Difference between Soft Computing and Hard Computing. Classical Sets ,operations on classical sets ,Properties of classical sets
Lattice Based Cryptography - GGH CryptosystemVarun Janga
This document discusses lattice-based cryptography and the GGH cryptosystem. It provides an overview of lattices and their properties. The GGH cryptosystem is based on the closest vector problem in lattices. The private key is a good basis for a lattice, while the public key is a bad basis for the same lattice. The document describes the key generation process and analyzes attacks on the GGH cryptosystem such as the embedding attack and Nguyen's attack based on leaking remainders. It also discusses advantages and disadvantages of lattice-based cryptography.
This document discusses backpropagation in convolutional neural networks. It begins by explaining backpropagation for single neurons and multi-layer neural networks. It then discusses the specific operations involved in convolutional and pooling layers, and how backpropagation is applied to convolutional neural networks as a composite function with multiple differentiable operations. The key steps are decomposing the network into differentiable operations, propagating error signals backward using derivatives, and computing gradients to update weights.
This document provides an overview of homomorphic encryption. It begins by defining homomorphic encryption as a form of encryption that allows specific types of computations to be performed on ciphertext and generate an encrypted result that matches the operations performed on the plaintext when decrypted. It then discusses different types of homomorphic encryption including partially homomorphic (additive or multiplicative), fully homomorphic encryption, and provides examples like RSA, ElGamal, and Paillier. The document concludes by listing some applications of homomorphic encryption such as e-voting, biometric verification, and discusses Paillier encryption specifically.
Digital signatures provide authentication of digital messages or documents. There are three main algorithms involved: hashing, signature generation, and signature verification. Common digital signature schemes include ElGamal, Schnorr, and the Digital Signature Standard (DSS). The DSS is based on ElGamal and Schnorr schemes. It uses smaller signatures than ElGamal by employing two moduli, one smaller than the other. Digital signatures are widely used to provide authentication in protocols like IPSec, SSL/TLS, and S/MIME.
This document summarizes Bumsoo Kim's presentation on deep convolutional generative adversarial networks (DCGANs) for unsupervised representation learning. The presentation introduces generative models, describes the DCGAN model architecture which uses an adversarial process between a generator and discriminator, and discusses evaluating and applying vector arithmetic to generated images.
Overview of generative models with the accent to the GANs and deep learning. Includes autoencoders, VAE, normalizing flows, autoregressive models, and a lot of GAN architectures.
[01] Quantum Error Correction for Beginners Shin Nishio
This document provides an introduction to quantum error correction. It discusses the types of quantum errors including coherent errors and environmental decoherence. It then describes the 3-qubit error correction code, which can correct one bit flip error by using syndrome measurements. Finally, it covers the 9-qubit code developed by Shor, which can correct both one bit flip and one phase flip error by combining 3-qubit codes and independently correcting for bit flip and phase flip errors.
Introduction to Generative Adversarial NetworksBennoG1
Generative Adversarial Networks (GANs) are a type of neural network that can generate new data with the same statistics as the training set. GANs work by having two neural networks - a generator and a discriminator - compete against each other in a minimax game framework. The generator tries to generate fake data that looks real, while the discriminator tries to tell apart the real data from the fake data. Wasserstein GANs introduce a new loss function based on the Wasserstein distance to help improve GAN training stability and convergence.
This document discusses quantum error correction. It explains that while quantum states and operators are theoretically perfect, in reality approximations must be made which can cause errors. Quantum error correction deals with these imperfections. It describes different types of quantum errors and discusses barriers to quantum error correction, such as the no-cloning theorem. The document introduces classical error correction techniques and explains how similar techniques can be applied to encode quantum states to correct bit flip and phase flip errors by measuring the parity of qubits without collapsing their superpositions. Specific quantum error correcting codes are presented, including Shor's code which can correct both types of errors.
UNet-VGG16 with transfer learning for MRI-based brain tumor segmentationTELKOMNIKA JOURNAL
A brain tumor is one of a deadly disease that needs high accuracy in its medical surgery. Brain tumor detection can be done through magnetic resonance imaging (MRI). Image segmentation for the MRI brain tumor aims to separate the tumor area (as the region of interest or ROI) with a healthy brain and provide a clear boundary of the tumor. This study classifies the ROI and non-ROI using fully convolutional network with new architecture, namely UNet-VGG16. This model or architecture is a hybrid of U-Net and VGG16 with transfer Learning to simplify the U-Net architecture. This method has a high accuracy of about 96.1% in the learning dataset. The validation is done by calculating the correct classification ratio (CCR) to comparing the segmentation result with the ground truth. The CCR value shows that this UNet-VGG16 could recognize the brain tumor area with a mean of CCR value is about 95.69%.
This document discusses edge computing and distributed intelligence. It begins with definitions of edge computing and fog computing, noting that fog computing refers to computing near the data source rather than in centralized data centers. It then explores architectural choices for distributed intelligence, including moving computation to data sources using multi-tier IoT architectures that incorporate edge devices, gateways and cloud computing. The document discusses how distributed intelligence can create business value by gaining insights from customer data sources. It provides examples of sensing modalities that could be leveraged and recommends evaluating streaming data from various sources to gain insights.
DDoS Attack Detection and Botnet Prevention using Machine LearningIRJET Journal
This document discusses using machine learning to detect distributed denial of service (DDoS) attacks and prevent botnets. It proposes using classifiers like logistic regression, support vector machines, K-nearest neighbors, decision trees, and AdaBoost to detect DDoS attacks based on the NSL KDD dataset, achieving accuracies from 82.28% to 90.4%. It also plans to add botnet prevention features to reduce the creation of botnets and the intensity of future DDoS attacks, which could help individual users. The document reviews several related works applying machine learning for DDoS detection and phishing URL classification.
This document provides an overview of multilayer perceptrons (MLPs) and the backpropagation algorithm. It defines MLPs as neural networks with multiple hidden layers that can solve nonlinear problems. The backpropagation algorithm is introduced as a method for training MLPs by propagating error signals backward from the output to inner layers. Key steps include calculating the error at each neuron, determining the gradient to update weights, and using this to minimize overall network error through iterative weight adjustment.
Generative Adversarial Networks (GANs) are a class of machine learning frameworks where two neural networks contest with each other in a game. A generator network generates new data instances, while a discriminator network evaluates them for authenticity, classifying them as real or generated. This adversarial process allows the generator to improve over time and generate highly realistic samples that can pass for real data. The document provides an overview of GANs and their variants, including DCGAN, InfoGAN, EBGAN, and ACGAN models. It also discusses techniques for training more stable GANs and escaping issues like mode collapse.
Homomorphic encryption allows computations to be carried out on encrypted data without decrypting it first. This summary discusses Craig Gentry's scheme for fully homomorphic encryption based on ideal lattices. The scheme works by encrypting bits as ciphertexts with small noise that grows with computations. A bootstrapping procedure called re-crypt reduces the noise to keep ciphertexts decryptable. While promising for applications like cloud computing, the scheme has high computational costs that scale poorly with security level. Current research aims to make homomorphic encryption more efficient and practical.
Clustering:k-means, expect-maximization and gaussian mixture modeljins0618
This document discusses K-means clustering, Expectation Maximization (EM), and Gaussian mixture models (GMM). It begins with an overview of unsupervised learning and introduces K-means as a simple clustering algorithm. It then describes EM as a general algorithm for maximum likelihood estimation that can be applied to problems like GMM. GMM is presented as a density estimation technique that models data using a weighted sum of Gaussian distributions. EM is described as a method for estimating the parameters of a GMM from data.
https://telecombcn-dl.github.io/2018-dlai/
Deep learning technologies are at the core of the current revolution in artificial intelligence for multimedia data analysis. The convergence of large-scale annotated datasets and affordable GPU hardware has allowed the training of neural networks for data analysis tasks which were previously addressed with hand-crafted features. Architectures such as convolutional neural networks, recurrent neural networks or Q-nets for reinforcement learning have shaped a brand new scenario in signal processing. This course will cover the basic principles of deep learning from both an algorithmic and computational perspectives.
This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.
Minimum Complexity Decoupling Networks for Arbitrary Coupled LoadsDing Nie
Presented on 7/8/2014, at 2014 IEEE International Symposium on Antennas and Propagation and USNC-URSI Radio Science Meeting (APS/URSI 2014), Memphis, TN
Lattice Based Cryptography - GGH CryptosystemVarun Janga
This document discusses lattice-based cryptography and the GGH cryptosystem. It provides an overview of lattices and their properties. The GGH cryptosystem is based on the closest vector problem in lattices. The private key is a good basis for a lattice, while the public key is a bad basis for the same lattice. The document describes the key generation process and analyzes attacks on the GGH cryptosystem such as the embedding attack and Nguyen's attack based on leaking remainders. It also discusses advantages and disadvantages of lattice-based cryptography.
This document discusses backpropagation in convolutional neural networks. It begins by explaining backpropagation for single neurons and multi-layer neural networks. It then discusses the specific operations involved in convolutional and pooling layers, and how backpropagation is applied to convolutional neural networks as a composite function with multiple differentiable operations. The key steps are decomposing the network into differentiable operations, propagating error signals backward using derivatives, and computing gradients to update weights.
This document provides an overview of homomorphic encryption. It begins by defining homomorphic encryption as a form of encryption that allows specific types of computations to be performed on ciphertext and generate an encrypted result that matches the operations performed on the plaintext when decrypted. It then discusses different types of homomorphic encryption including partially homomorphic (additive or multiplicative), fully homomorphic encryption, and provides examples like RSA, ElGamal, and Paillier. The document concludes by listing some applications of homomorphic encryption such as e-voting, biometric verification, and discusses Paillier encryption specifically.
Digital signatures provide authentication of digital messages or documents. There are three main algorithms involved: hashing, signature generation, and signature verification. Common digital signature schemes include ElGamal, Schnorr, and the Digital Signature Standard (DSS). The DSS is based on ElGamal and Schnorr schemes. It uses smaller signatures than ElGamal by employing two moduli, one smaller than the other. Digital signatures are widely used to provide authentication in protocols like IPSec, SSL/TLS, and S/MIME.
This document summarizes Bumsoo Kim's presentation on deep convolutional generative adversarial networks (DCGANs) for unsupervised representation learning. The presentation introduces generative models, describes the DCGAN model architecture which uses an adversarial process between a generator and discriminator, and discusses evaluating and applying vector arithmetic to generated images.
Overview of generative models with the accent to the GANs and deep learning. Includes autoencoders, VAE, normalizing flows, autoregressive models, and a lot of GAN architectures.
[01] Quantum Error Correction for Beginners Shin Nishio
This document provides an introduction to quantum error correction. It discusses the types of quantum errors including coherent errors and environmental decoherence. It then describes the 3-qubit error correction code, which can correct one bit flip error by using syndrome measurements. Finally, it covers the 9-qubit code developed by Shor, which can correct both one bit flip and one phase flip error by combining 3-qubit codes and independently correcting for bit flip and phase flip errors.
Introduction to Generative Adversarial NetworksBennoG1
Generative Adversarial Networks (GANs) are a type of neural network that can generate new data with the same statistics as the training set. GANs work by having two neural networks - a generator and a discriminator - compete against each other in a minimax game framework. The generator tries to generate fake data that looks real, while the discriminator tries to tell apart the real data from the fake data. Wasserstein GANs introduce a new loss function based on the Wasserstein distance to help improve GAN training stability and convergence.
This document discusses quantum error correction. It explains that while quantum states and operators are theoretically perfect, in reality approximations must be made which can cause errors. Quantum error correction deals with these imperfections. It describes different types of quantum errors and discusses barriers to quantum error correction, such as the no-cloning theorem. The document introduces classical error correction techniques and explains how similar techniques can be applied to encode quantum states to correct bit flip and phase flip errors by measuring the parity of qubits without collapsing their superpositions. Specific quantum error correcting codes are presented, including Shor's code which can correct both types of errors.
UNet-VGG16 with transfer learning for MRI-based brain tumor segmentationTELKOMNIKA JOURNAL
A brain tumor is one of a deadly disease that needs high accuracy in its medical surgery. Brain tumor detection can be done through magnetic resonance imaging (MRI). Image segmentation for the MRI brain tumor aims to separate the tumor area (as the region of interest or ROI) with a healthy brain and provide a clear boundary of the tumor. This study classifies the ROI and non-ROI using fully convolutional network with new architecture, namely UNet-VGG16. This model or architecture is a hybrid of U-Net and VGG16 with transfer Learning to simplify the U-Net architecture. This method has a high accuracy of about 96.1% in the learning dataset. The validation is done by calculating the correct classification ratio (CCR) to comparing the segmentation result with the ground truth. The CCR value shows that this UNet-VGG16 could recognize the brain tumor area with a mean of CCR value is about 95.69%.
This document discusses edge computing and distributed intelligence. It begins with definitions of edge computing and fog computing, noting that fog computing refers to computing near the data source rather than in centralized data centers. It then explores architectural choices for distributed intelligence, including moving computation to data sources using multi-tier IoT architectures that incorporate edge devices, gateways and cloud computing. The document discusses how distributed intelligence can create business value by gaining insights from customer data sources. It provides examples of sensing modalities that could be leveraged and recommends evaluating streaming data from various sources to gain insights.
DDoS Attack Detection and Botnet Prevention using Machine LearningIRJET Journal
This document discusses using machine learning to detect distributed denial of service (DDoS) attacks and prevent botnets. It proposes using classifiers like logistic regression, support vector machines, K-nearest neighbors, decision trees, and AdaBoost to detect DDoS attacks based on the NSL KDD dataset, achieving accuracies from 82.28% to 90.4%. It also plans to add botnet prevention features to reduce the creation of botnets and the intensity of future DDoS attacks, which could help individual users. The document reviews several related works applying machine learning for DDoS detection and phishing URL classification.
This document provides an overview of multilayer perceptrons (MLPs) and the backpropagation algorithm. It defines MLPs as neural networks with multiple hidden layers that can solve nonlinear problems. The backpropagation algorithm is introduced as a method for training MLPs by propagating error signals backward from the output to inner layers. Key steps include calculating the error at each neuron, determining the gradient to update weights, and using this to minimize overall network error through iterative weight adjustment.
Generative Adversarial Networks (GANs) are a class of machine learning frameworks where two neural networks contest with each other in a game. A generator network generates new data instances, while a discriminator network evaluates them for authenticity, classifying them as real or generated. This adversarial process allows the generator to improve over time and generate highly realistic samples that can pass for real data. The document provides an overview of GANs and their variants, including DCGAN, InfoGAN, EBGAN, and ACGAN models. It also discusses techniques for training more stable GANs and escaping issues like mode collapse.
Homomorphic encryption allows computations to be carried out on encrypted data without decrypting it first. This summary discusses Craig Gentry's scheme for fully homomorphic encryption based on ideal lattices. The scheme works by encrypting bits as ciphertexts with small noise that grows with computations. A bootstrapping procedure called re-crypt reduces the noise to keep ciphertexts decryptable. While promising for applications like cloud computing, the scheme has high computational costs that scale poorly with security level. Current research aims to make homomorphic encryption more efficient and practical.
Clustering:k-means, expect-maximization and gaussian mixture modeljins0618
This document discusses K-means clustering, Expectation Maximization (EM), and Gaussian mixture models (GMM). It begins with an overview of unsupervised learning and introduces K-means as a simple clustering algorithm. It then describes EM as a general algorithm for maximum likelihood estimation that can be applied to problems like GMM. GMM is presented as a density estimation technique that models data using a weighted sum of Gaussian distributions. EM is described as a method for estimating the parameters of a GMM from data.
https://telecombcn-dl.github.io/2018-dlai/
Deep learning technologies are at the core of the current revolution in artificial intelligence for multimedia data analysis. The convergence of large-scale annotated datasets and affordable GPU hardware has allowed the training of neural networks for data analysis tasks which were previously addressed with hand-crafted features. Architectures such as convolutional neural networks, recurrent neural networks or Q-nets for reinforcement learning have shaped a brand new scenario in signal processing. This course will cover the basic principles of deep learning from both an algorithmic and computational perspectives.
This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.
Minimum Complexity Decoupling Networks for Arbitrary Coupled LoadsDing Nie
Presented on 7/8/2014, at 2014 IEEE International Symposium on Antennas and Propagation and USNC-URSI Radio Science Meeting (APS/URSI 2014), Memphis, TN
This document is a project report submitted by Shivangi Goel for the degree of Master of Science in Mathematics. The report proposes a secure scheme for secret sharing using graph theory. It involves using a system of linear congruences based on prime numbers to divide a secret into shares and distribute the shares among graph nodes in a way that allows reconstructing the secret using the Chinese Remainder Theorem. The report includes background on secret sharing, linear congruences, and cryptography techniques like RSA. It then describes the proposed scheme which uses specific graph structures like Peterson and Heawood graphs to represent the access structure and distribute shares of the secret.
The document summarizes the NNPDF3.1 global analysis which provides an updated determination of parton distribution functions (PDFs) from experimental data. Key points include:
1) NNPDF3.1 includes new high-precision measurements from the LHC as well as NNLO QCD calculations, allowing more data to be included. It also fits the charm PDF rather than assuming it is purely perturbative.
2) The new data provides stronger constraints on PDFs, particularly the gluon and down quark, significantly reducing their uncertainties. It also shows good agreement with the previous NNPDF3.0 analysis.
3) For the first time, NNPDF3.1 includes LHC
On Continuum Limits of Markov Chains and Network ModelingYang Zhang
Presented at 2010 IEEE Conference on Decision and Control.
We investigate the continuum limits of a class of Markov chains. The investigation of such limits is motivated by the desire to model very large networks. We show that under some conditions, a sequence of Markov chains converges in some sense to the solution of a partial differential equation. Based on such convergence we approximate Markov chains modeling networks involving a large number of components by partial differential equations. While traditional numerical simulation for very large networks is practically infeasible, partial differential equations can be solved with reasonable computational overhead using well-established mathematical tools.
This document summarizes Wu Chihua's presentation on error correction for next generation sequencing. The presentation covers background on DNA sequencing and next generation sequencing technologies. It also discusses existing error correction research, a toy experiment using the SlideSort algorithm on simulated short read data, and plans for future work using larger real datasets and Bayesian models.
The document discusses various techniques for classifying pictures using neural networks, including convolutional neural networks. It describes how convolutional neural networks can be used to classify images by breaking them into overlapping tiles, applying small neural networks to each tile, and pooling the results. The document also discusses using recurrent neural networks to classify videos by treating them as higher-dimensional tensors.
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
Berkeley Packet Filter is an old friend for most people that deal with network under Linux. But its extended version eBPF is completely redefining the scope of usage and interaction with the kernel. It can indeed be used to instrument most parts of the kernel. This goes from network tracing to process or I/O monitoring.
This talk will provide an overview of eBPF, from concept to tools like BCC. It will then focus on XDP for eXtreme Data Path and the possible applications in term of networking provided by this new framework.
Eric Leblond, Stamus Network
The document discusses convolutional neural network architectures including AlexNet, GoogLeNet, ResNet, and their applications to tasks like image classification and object detection. It provides details on the architecture of AlexNet including the number and arrangement of convolutional, pooling and fully connected layers. It also summarizes innovations in GoogLeNet like the use of 1x1 convolutions and inception modules to reduce computations. ResNet is highlighted for introducing residual connections to address the degradation problem in deeper networks. Finally, it briefly mentions using CNNs for object detection tasks.
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONSIJNSA Journal
One-way functions are widely used for encrypting the secret in public key cryptography, although they are regarded as plausibly one-way but have not been proven so. Here we discuss the public key cryptosystem based on the system of higher order Diophantine equations. In this system those Diophantine equations are used as public keys for sender and recipient, and both sender and recipient can obtain the shared secret through a trapdoor, while attackers must solve those Diophantine equations without trapdoor. Thus the scheme of this cryptosystem might be considered to represent a possible one-way function. We also discuss the problem on implementation, which is caused from additional complexity necessary for constructing Diophantine equations in order to prevent from attacking by tamperers.
The document discusses second order traffic flow models on networks. It begins with an introduction to traffic modeling, including macroscopic representations of traffic flow using density, flow, and speed. First order models like Lighthill-Whitham-Richards (LWR) are introduced, as well as higher order Generic Second Order Models (GSOM) that can account for driver behavior and vehicle interactions. The document then discusses applying a variational principle and Hamilton-Jacobi formulation to both LWR and GSOM models, allowing them to be analyzed using tools from optimal control and viability theory.
Master Thesis Presentation (Subselection of Topics)Alina Leidinger
This presentation shows some of my work carried out as part of my master thesis on "Mathematical Analysis of Neural Networks" at TUM Chair of Applied Numerical Analysis under Prof. Dr. Massimo Fornasier. The thesis constitutes a literature review with the aim of analysing and contrasting some of the approaches in the mathematical analysis of neural networks. The thesis focuses on 3 key aspects: Modern and classical approximation theory, robustness and stability of neural networks and unique identification of network weights. While the three themes carry approximately equal weight in the thesis, this presentation gives only a very short overview over the first and third chapter of my thesis and focuses on the robustness chapter. See also the full text version available on SlideShare/LinkedIn.
Learning to discover monte carlo algorithm on spin ice manifoldKai-Wen Zhao
The global update Monte Carlo sampler can be discovered naturally by trained machine using policy gradient method on topologically constrained environment.
Time Sensitive Networking in the Linux Kernelhenrikau
Time Sensitive Networking provides mechanisms for sending data accross the network with very low latency, low jitter and low framedrops, opening up a whole range of new applications.
This talk primarily focuses on media, but the driver should be interesting for industrial applications and automotive as well.
This document summarizes a student's final seminar project on developing a novel all-pairs shortest path (APSP) algorithm and applying it in a multi-domain SDN. The student first discusses existing APSP algorithms and their limitations. They then propose a graph decomposition technique and algorithms to securely compute paths across multiple domains in an SDN. To evaluate the novel APSP algorithm, they test it on various network topologies and compare its performance to the Floyd-Warshall algorithm as the number of controllers varies. The results suggest the proposed approach improves upon Floyd-Warshall in the context of multi-domain SDNs.
This document summarizes a student's final seminar project on developing a novel all-pairs shortest path (APSP) algorithm and applying it in a multi-domain SDN. The student first discusses challenges with the current Internet architecture and how SDN aims to address them. They then review existing APSP algorithms and issues with graph decomposition and SDN security. The student proposes a new graph decomposition technique and algorithms to securely encrypt network paths. Their methodology involves decomposing the graph, finding peripheral vertices, and applying Dijkstra's and Floyd-Warshall algorithms. Analysis shows the approach runs in O(|V|δ) time and O(|V|l + |V|δ2l) space
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...Masumi Shirakawa
A deck of slides for "N-gram IDF: A Global Term Weighting Scheme Based on Information Distance" (Shirakawa et al.) that was presented at 24th International World Wide Web Conference (WWW 2015).
Similar to A Short Review of the NTRU Cryptosystem (20)
This presentation discusses the use of Garbled Circuits for improving security and simplifying implementation of Secure Credential Management Systems (SCMS) in the Automotive industry
This document discusses using IEEE 1609.2 security standards for drone communications. It begins by overviewing current drone communication methods, including drone-to-drone, drone-to-controller, and drone-to-network. It then discusses needs for drone identification, tracking, and secure real-time communications. The document provides an overview of the IEEE 1609.2 security model used for vehicle-to-vehicle communications. It describes implementing 1609.2 in an experimental demo to securely transmit ADS-B messages between drones to enable collision avoidance. The demo showed 1609.2 could mitigate message spoofing and manipulation threats. Overall, the document argues IEEE 1609.2 is applicable for securing drone-to-drone and
This presentation by OnBoard Security's Drew van Duren was given at the IEEE 4th World Forum on Internet of Things
05-08 February 2018 in Singapore. Topics covered include:
– Connected Vehicle Architectures and Applications
– IEEE 1609.2 V2X security stack and uses
– Issues and Lessons Learned in U.S. CV Pilots
– Potential Unmanned aircraft systems (Drones) applications
– Re-tasking V2X security to other uses
Presentation given at WiSec 2017 by Dr. Virendra Kumar. His, along with Drs. Jonathan Petit and William Whyte's, paper was one of six to receive the reproducibility label.
This document summarizes the key findings of a survey conducted by the Ponemon Institute regarding automotive cybersecurity. Some of the main points from the survey include:
- There is a growing concern among automakers and suppliers that hackers are actively targeting modern connected vehicles. However, organizations are not prioritizing security.
- A lack of skilled security personnel and pressure to meet deadlines are hindering secure development practices. Cryptography use and legacy systems are also issues.
- While security responsibility is unclear, respondents believe the most challenging aspects of securing vehicles are the expenses involved, the time added to development, and lack of formal requirements and policies.
The survey of 524 automotive software professionals found:
1) Security is not fully integrated into development processes and developers lack training on secure development practices.
2) Nearly half believe a major overhaul of automotive technology architecture is needed to improve security.
3) There is uncertainty around whether a hack-proof vehicle can be built, with pressures around costs, timelines, and prioritization of security.
This document discusses security challenges and successes for connected vehicles. It outlines how the Secure Credential Management System (SCMS) has been developed and implemented to securely provision vehicle credentials. It also describes how a threat analysis framework identifies device security requirements based on analyzing data confidentiality, integrity and availability levels. Key challenges discussed are how to securely provision device certificates without frequent connectivity and how to balance privacy and misbehavior detection for credential revocation.
The document discusses the development of the IEEE 1609.2 standard for security in connected vehicles. It explores how the standard was created with only partial contributions from security experts. It aims to examine specific design decisions in the standard, how the divergence between the US and EU versions occurred, and lessons learned for developing security standards in the future. The goal is to understand how to create standards in a more transparent, robust way that avoids issues like regional incompatibility.
Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
This document provides an overview of certificate management protocols for 1609.2 certificates used in vehicle-to-everything (V2X) communication. It describes the terminology, topology, interfaces, and lifecycles involved in issuing and managing different types of certificates within the Security Credential Management System (SCMS). The document outlines the processes for enrolling to receive certificates, requesting operational certificates, downloading certificates, and handling revocation. It also discusses the ASN.1 module structure used to specify the protocols and packet data units for each interface.
Scaling secure systems like vehicle-to-vehicle communication presents challenges around growing the number of devices, maintaining them securely over long periods of time, and managing privacy across international borders. The biggest constraint is ensuring the many human decisions needed are made correctly and at scale. Centralizing some decisions, like device certification requirements and revocation criteria, while decentralizing others, like authorization, can help reduce the number of human judgments needed. Proper data management is also crucial to balance security, privacy, and accountability. Attention to future threats from quantum computers and evolving standards will further support scalability over time.
This document discusses misbehavior handling throughout the vehicle-to-vehicle (V2V) system lifecycle. It proposes decomposing misbehavior activity into four parts: local misbehavior detection, reporting, investigation, and revocation decision. It suggests considering these parts independently. The best available misbehavior detection algorithm will differ depending on available vehicle sensors. Administrative considerations like privacy and oversight are important. The document outlines two approaches to misbehavior detection - an open garden approach allowing various vehicle-side approaches, and a uniform approach. It recommends following the open garden approach when possible.
This document discusses using quantum-safe cryptography to protect against future quantum computers. It proposes a "hybrid" approach where a FIPS-approved classical algorithm is used for conformance while a quantum-safe algorithm is also used to provide long-term security. Specifically, it examines using the "OtherInfo" field when deriving keys to include a quantum-safe symmetric key as part of the key derivation process. This would allow quantum-safe encryption of data even when using a FIPS-approved scheme for key establishment and compliance. However, it is unclear if including symmetric keys in "OtherInfo" is permitted by standards.
More from OnBoard Security, Inc. - a Qualcomm Company (13)
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
1. A short review of the NTRU cryptosystem
Zhenfei Zhang
zzhang@onboardsecurity.com
July 12, 2017
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42
5. Why lattice
Lattice leads to the knowledge of everything!
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
6. Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
7. Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prepare for the quantum apocalypse;
2017, NIST call for competition/standardization;
2030(?), predicted general purpose quantum computers;
bonus points
Good understanding of underlying hard problem;
Fast, parallelable, hardware friendly;
Numerous applications: FHE, ABE, MMap, obfuscation, . . .
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 4 / 42
8. Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-then-decrypt attack
Data need to be secret for, say, 30 years;
Quantum computer arrives in, say, 15 years;
Perhaps the most practical attack in cryptography!
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 5 / 42
10. State-of-art lattice-based crypto in practice
Key exchange/establishment schemes
Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU)
Encryption schemes
NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9.
Signature schemes
BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 7 / 42
11. Figure source: Christine van Vredendaal
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
12. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
13. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
14. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
15. Figure source: Wendy Cordero’s High School Math Site
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
16. Lattice
Definition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z}
d dimension.
B = (b1, . . . , bd ) is a basis.
An example
B =
5 1
2
√
3
3
5
√
2 1
d = 2 ≤ n = 3
In this talk, full rank integer Basis: B ∈ Zn,n.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 11 / 42
17. Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
18. Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
19. Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
20. Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
21. Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
22. Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
26. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
27. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x)
Compute h (x) = f (x) × g(x) over Z[x]
Reduce h (x) mod (xN − 1) mod q
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
28. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x), alternatively
h0, . . . , hN−1 = f0, . . . , fN−1 ×
g0 g1 g2 . . . gN−1
gN−1 g0 g1 . . . gN−2
gN−2 gN−1 g0 . . . gN−3
...
...
...
...
...
g1 g2 g3 . . . g0
mod q
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
29. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
30. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice
qIN 0
H IN
..=
q 0 . . . 0 0 0 . . . 0
0 q . . . 0 0 0 . . . 0
...
...
...
...
...
...
...
...
0 0 . . . q 0 0 . . . 0
h0 h1 . . . hN−1 1 0 . . . 0
hN−1 h0 . . . hN−2 0 1 . . . 0
...
...
...
...
...
...
...
...
h1 h2 . . . h0 0 0 . . . 1
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
31. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
32. NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
33. NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
34. NTRU lattice vs random lattice
Random lattice, SV ≈ Gaussian Heuristic length = dim
2πe det
1
dim
NTRU lattice, unique shortest vectors = g, f 2
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
36. Interlude: How to estimate lattice strength?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
37. Interlude: How to estimate lattice strength ( )?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
38. Interlude: How to estimate the lattice strength
“Understanding lattice strength = mastering key technology. :D”
–Jackie Chan
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 21 / 42
39. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
40. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
“Ideal world” “Real world”
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
41. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP
λ1 = λ2 = · · · = λN = g, f 2 =
√
2d
λN+1 ≈ Gaussian Heuristic length dim
2πe det
1
dim = Nq
πe
α = Nq
2dπe
1
4N
Not limited to NTRU, almost all efficient lattice crypto base on uSVP
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
42. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
α = Nq
2dπe
1
4N
Example: N = 743, q = 2048, d = 495: α ≈ 1.0038
α-uSVP ≈ γ-SVP
If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP
Lattice strength = cost of BKZ 2.0 with γ = 1.0038
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
43. Interlude: Lattice reductions
Overview
time space approx. factor
LLL poly poly exp
BKZ sub-exp sub-exp sub-exp
Enumeration sup-exp poly 1
Sieving exp exp 1
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 23 / 42
44. Interlude: Lattice reductions
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Original BKZ 2.0: enumeration with extreme pruning
“New Hope”: (quantum) sieving
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 24 / 42
45. Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Example: n = 1024, γ = 1.006(?) (Extreme pruning)
To arrive γ = 1.006 one need to use block size 216;
Cost to find SV in dim-216 lattice requires > 2105 node;
Per-node cost 27;
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 2121
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 25 / 42
46. Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Example: n = 1024, γ = 1.006 (Sieving)
To arrive γ = 1.006 one need to use block size 216;
Cost to find SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation;
Also requires ≈ 265 space
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 274
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 26 / 42
48. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f , p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p
Recover m = c · f −1 mod p
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
49. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f ≡ 1 mod p, p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p = m
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
50. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k
)
Find a random string b; r = hash(h|b)
m = r ⊗ m|b
Compute e = p × r · h + m ;
Dec (f ≡ 1 mod p, g, p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p = m
Compute r = p−1 × (c − m · f ) · g−1
Extract m, b from m ⊗ r , compute r = hash(h|b);
Output m if r = r .
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
52. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Less effective attacks
Subfield attacks;
Subring attacks:
Mod 2 attack.
Hash attacks.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
53. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Suppose f , g are binary polynomials with hamming weight d
list = ∅
Guess a fi with hamming weight d/2; compute gi = fi · h;
Check gi against every gj ∈ list:
if gi + gj is binary with hamming weight d; output gi , gj ;
else, add gi to list:
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
54. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Find short vectors in NTRU lattice
qIN 0
H IN
Lattice reduction algorithms: BKZ 2.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
55. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Re-write
qIN 0
H IN
..=
qIr1 0 0
∗ L1 0
∗ ∗ Ir2
Reduce L1
..=
qIr1 0 0
∗ L1 0
(MITM) guess a vector v in L2
..= ∗ ∗ Ir2
If guess correctly, v will be very close to L1;
Find the closest vector of v in L1;
Easy if L1 is well-reduced.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
58. Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m) mod p
Can be instantiated via any lattice
SIS, R-SIS, R-LWE, etc
pqNTRUSign is an efficient instantiation using NTRU lattice
Efficient trapdoor f , g;
Well-understood hardness.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 33 / 42
59. pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection sampling:
Sample v0 from certain distribution; compute v1 = p × v0 + vp
Find a random lattice vector v1, u1 = v1 · I, h
“v-side” meets the congruent condition.
Micro-adjust “u-side” using trapdoor f and g
Compute a = (u1 − up) · g−1
mod p
Compute v2, u2 = a · p × f , g
Compute v, u = v1, u1 + v2, u2
Output v as signature
Remark
v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 34 / 42
60. pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector v, u = v · I, h
Check vp, up = hash(m|h)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 35 / 42
61. pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected lattice;
Transcript security - achieved via rejection sampling.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 36 / 42
62. Forgery
Forgery: as hard as solving an approx.-SVP in an intersected lattice:
L ..= Lh ∩ (Z2N + vp, up )
det(L ) = p2NqN −→ Gaussian heuristic length = p2qN
πe
Target vector length v, u ≤
√
2N q
2
Approx.-SVP with root Hermite factor γ = qπe
2p2
1
dim
= qπe
2p2
1
4N
Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 37 / 42
63. Transcript security
Works on GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enough of distance
vectors (blue dots) gives away a
good basis of the lattice;
Seal the leakage with rejection
sampling.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 38 / 42
64. Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinary/binary;
sparse trinary/binary f is the secret.
RS on b
b follows certain publicly known distribution independent from f ;
for two secret keys f1, f2 and a signature b, one is not able to tell
which key signs b - witness indistinguishability.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 39 / 42
65. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
Before rejection
0.0005
0.0006
0.0007
0.0008
0.0009
0.001
0.0011
-600 -400 -200 0 200 400 600
"notuniforminq"
1/1031.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
66. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
After rejection
0
0.0002
0.0004
0.0006
0.0008
0.001
0.0012
-600 -400 -200 0 200 400 600
"uniforminq"
1/1021.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
67. Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before/after rejection
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
69. Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Google Image & www.hsjushi.com
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 42 / 42