Cryptography: The Jugalbandi of Structure and Randomness
Transcript of Cryptography: The Jugalbandi of Structure and Randomness
![Page 1: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/1.jpg)
Cryptography:The Jugalbandiof Structure and RandomnessShweta AgrawalIIT Madras
![Page 2: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/2.jpg)
CryptographyThe Art of Secret Keeping
Cryptography guarantees that breaking a cryptosystem is at least as hardas solving some difficult mathematical problem.
2
![Page 3: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/3.jpg)
Case Study: Encryption
3
Functionality: Correctness of decryptionSecurity: Ciphertext looks uniformly random
![Page 4: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/4.jpg)
Walking the Fine Line
4
Want functionality together with securityโฆAny one without the other is easy โ how?
![Page 5: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/5.jpg)
Functionality + Security
5
- Functionality requires structure- Security requires randomness
Computational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBx๏ฟฝ tk ยต from the target
tยต
b1
b2
Bx
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
Get both together from suitable hard problem in math
Closest Vector Problem on
Lattices
![Page 6: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/6.jpg)
What is a lattice?
6
Point Lattices and Lattice Parameters
Lattices: Definition
e1e2
The simplest lattice in n-dimensionalspace is the integer lattice
โค = Zn
b1b2
Other lattices are obtained byapplying a linear transformation
โค = BZn (B 2 Rdโฅn)
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43
Point Lattices and Lattice Parameters
Lattices: Definition
e1e2
The simplest lattice in n-dimensionalspace is the integer lattice
โค = Zn
b1b2
Other lattices are obtained byapplying a linear transformation
โค = BZn (B 2 Rdโฅn)
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43
A set of points with periodic arrangement
Discrete subgroup of Rn
![Page 7: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/7.jpg)
7
Shortest Vector ProblemComputational Problems
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x 2 Zk) oflength (at most) kBxk ๏ฟฝ1
b1
b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 16 / 43
Computational Problems
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x 2 Zk) oflength (at most) kBxk ๏ฟฝ1
b1
b2
๏ฟฝ1
Bx = 5b1 ๏ฟฝ 2b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 16 / 43
![Page 8: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/8.jpg)
8
Closest Vector ProblemComputational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBx๏ฟฝ tk ยต from the target
t
b1
b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
Computational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBx๏ฟฝ tk ยต from the target
tยต
b1
b2
Bx
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
![Page 9: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/9.jpg)
RD
One Way Functions
9
xy
Easy
Hard
๐:๐ท โ ๐ , One Way
๐
Most basic โprimitiveโ in cryptography!
![Page 10: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/10.jpg)
10
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices โคsuch that
โค โ Zd is an integer latticeqZd โ โค is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
โค is a q-ary lattice if qZn โ โค โ Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices โคsuch that
โค โ Zd is an integer latticeqZd โ โค is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
โค is a q-ary lattice if qZn โ โค โ Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices โคsuch that
โค โ Zd is an integer latticeqZd โ โค is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
โค is a q-ary lattice if qZn โ โค โ Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Examples of q-ary lattices
Examples (for any A 2 Znโฅdq )
โคq(A) = {x | x mod q 2 ATZnq} โ Zd
โค?q (A) = {x | Ax = 0 mod q} โ Zd
TheoremFor any lattice โค the following conditions are equivalent:
qZd โ โค โ Zd
โค = โคq(A) for some A
โค = โค?q (A) for some A
For any fixed A, the lattices โคq(A) and โค?q (A) are diโตerent
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 37 / 43
Random Lattices in Cryptography
![Page 11: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/11.jpg)
11
Ajtaiโs One Way FunctionQ-ary Lattices and Cryptography
Ajtaiโs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znโฅm
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
โฅ
n A
f
Ax
Theorem (Aโ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aโ96], Hashing [GGHโ97], Commit [KTXโ08], IDschemes [Lโ08], Signatures [LMโ08,GPVโ08,. . . ,DDLLโ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Q-ary Lattices and Cryptography
Ajtaiโs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znโฅm
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
โฅ
n Af
Ax
Theorem (Aโ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aโ96], Hashing [GGHโ97], Commit [KTXโ08], IDschemes [Lโ08], Signatures [LMโ08,GPVโ08,. . . ,DDLLโ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Q-ary Lattices and Cryptography
Ajtaiโs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znโฅm
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
โฅ
n Af
Ax
Theorem (Aโ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aโ96], Hashing [GGHโ97], Commit [KTXโ08], IDschemes [Lโ08], Signatures [LMโ08,GPVโ08,. . . ,DDLLโ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Ajtai 96: For m > n log q, if lattice problems are hard to approximate in the worst case then fA(x) = A x mod q is a
one way function.
![Page 12: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/12.jpg)
12
Regevโs One Way FunctionQ-ary Lattices and Cryptography
Regevโs Learning With Errors (LWE)
A 2 Zmโฅkq , s 2 Zk
q , e 2 Em.
gA(s
; e
) = As
+ e
mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rโ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
โฅ
m A
+ e
g
b
Applications: CPA PKE [Rโ05], CCA PKE [PWโ08], (H)IBE[GPVโ08,CHKPโ10,ABBโ10], FHE [. . . ,Bโ12,APโ13,GSWโ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
![Page 13: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/13.jpg)
13
Regevโs One Way FunctionQ-ary Lattices and Cryptography
Regevโs Learning With Errors (LWE)
A 2 Zmโฅkq , s 2 Zk
q , e 2 Em.
gA(s
; e
) = As
+ e
mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rโ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
โฅ
m A
+ e
g
b
Applications: CPA PKE [Rโ05], CCA PKE [PWโ08], (H)IBE[GPVโ08,CHKPโ10,ABBโ10], FHE [. . . ,Bโ12,APโ13,GSWโ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
Q-ary Lattices and Cryptography
Regevโs Learning With Errors (LWE)
A 2 Zmโฅkq , s 2 Zk
q , e 2 Em.
gA(s; e) = As+ e mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rโ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
โฅ
m A + eg
b
Applications: CPA PKE [Rโ05], CCA PKE [PWโ08], (H)IBE[GPVโ08,CHKPโ10,ABBโ10], FHE [. . . ,Bโ12,APโ13,GSWโ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
Regev 05: The function gA(s, e) is hard to invert on the average assuming lattice problems are hard to
approximate in worst case
k*
![Page 14: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/14.jpg)
An Example Encryption Scheme
14
โ Encrypt (A, u) :
โ Pick random vector s
โ c0 = AT s + noise
โ c1 = uT s + noise + q/2 msg
โ Recall A (e) = u mod q hard to invert for short e
โ Secret: e, Public : A, u
AT
uT
se
+
โ Decrypt (e) :
โ eT c0 โ c1 = q/2 msg + noise Indistinguishable from random!
0
q-1
q/2
![Page 15: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/15.jpg)
Can be made Fully Homomorphic! (BV11, BGV12, GSW13โฆ)
15
Expressive Functionality:
Supports arbitrary circuits
Compact ciphertext,
independent of circuit size
Encryption and function evaluation
commute!Enc(f(x)) =* f(Enc(x))
* : roughly
![Page 16: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/16.jpg)
All of cryptography is a jugalbandi between
16
Dancing the Dance
- correctness & security- algorithms & complexity - structure & randomness
![Page 17: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/17.jpg)
Deniable Fully Homomorphic Encryption
Deniable FHEThe notion of Deniable FHE
Deniable Encryption
Fully Homomorphic Encryption
17
![Page 18: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/18.jpg)
Deniable FHE (AGM21)
Vote 1 for me Vote 0 for me10
๐ ๐, ๐๐ โ ๐บ๐๐
๐ ๐
๐๐
๐๐ก! = ๐ธ๐๐(๐๐, ๐!; ๐)
๐๐ก!
๐๐ก" ๐๐ก# ๐๐ก$
, ๐๐ก", โฆ , ๐๐ก$
๐๐กโ = ๐ธ๐ฃ๐๐(ฮฃ#&!' , ๐๐ก!, โฆ , ๐๐ก$)
๐ท๐๐ ๐ ๐, ๐๐กโ = ฮฃ#&!' ๐#
Bob, for whom did you vote?
18
![Page 19: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/19.jpg)
10
๐ ๐
๐๐
๐๐ก! = ๐ธ๐๐(๐๐, ๐!; ๐)
๐๐ก!
๐๐ก" ๐๐ก# ๐๐ก$
, ๐๐ก", โฆ , ๐๐ก$
๐๐กโ = ๐ธ๐ฃ๐๐(ฮฃ#&!' , ๐๐ก!, โฆ , ๐๐ก$)
๐ท๐๐ ๐ ๐, ๐๐กโ = ฮฃ#&!' ๐#
Bob, for whom did you vote? ๐( โ ๐น๐๐๐(๐๐, ๐!, ๐, ๐!)
๐!, ๐๐!, ๐โฒ
๐๐, ๐ธ๐๐(๐๐, ๐!; ๐), ๐!, ๐( โ) {๐๐, ๐ธ๐๐ ๐๐, ๐!; ๐ , ๐!, ๐}
๐๐ก! = ๐ธ๐๐ ๐๐, ๐!; ๐ = ๐ธ๐๐(๐๐, ๐!; ๐()
โFakeโ Distribution โHonestโ Distribution
Deniable FHE
19
![Page 20: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/20.jpg)
Deniable FHE
โข A Deniable FHE scheme (๐บ๐๐, ๐ธ๐๐, ๐ธ๐ฃ๐๐, ๐ท๐๐, ๐น๐๐๐)
โข (๐บ๐๐, ๐ธ๐๐, ๐ธ๐ฃ๐๐, ๐ท๐๐) is an FHE scheme
โข (๐บ๐๐, ๐ธ๐๐, ๐ท๐๐, ๐น๐๐๐) is a Deniable Encryption scheme
Deniable Encryption
Fully Homomorphic Encryption
20
![Page 21: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/21.jpg)
Deniable FHE
A Deniable FHE scheme (๐บ๐๐, ๐ธ๐๐, ๐ธ๐ฃ๐๐, ๐ท๐๐, ๐น๐๐๐) syntax
โข ๐บ๐๐ โ ๐๐, ๐ ๐
โข ๐ธ๐๐ ๐๐,๐; ๐ = ๐๐ก
โข ๐ท๐๐ ๐ ๐, ๐๐ก = ๐
โข ๐ธ๐ฃ๐๐ ๐๐, ๐, ๐๐ก", โฆ , ๐๐ก* = ๐๐กโ
โข ๐น๐๐๐ ๐๐, ๐, ๐, @๐ โ ๐โฒ
21
![Page 22: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/22.jpg)
Special
Special Fully Homomorphic Encryption
Deniable FHEOur Construction of Deniable FHE
22
![Page 23: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/23.jpg)
FHE: A Very Brief Recap
โข All known FHE schemes add noise in CT for security.โข Homomorphic evaluation of CTs (eval(f, ct1โฆctn) ) cause noise to growโข Kills correctness after noise grows too muchโข Limits number of homomorphic operations
How to keep going: Gentryโs bootstrapping [Gen09]!
23
![Page 24: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/24.jpg)
The Magic of Bootstrappingโข Assume that an encryption scheme is powerful enough to support evaluation of its own decryption circuit Dec.
โข By correctness of decryption, Dec(ctx, sk) = x
โข Define circuit Dec!" sk = Dec(sk, ct)โข By correctness of homomorphic evaluation, Eval(F, ctx) = ct(F(x))
xDec , sk = x
Decct (sk)=skDecct , =Eval x24
![Page 25: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/25.jpg)
The Magic of BootstrappingโขOriginally introduced to reduce noise in evaluated ciphertext
โขHomomorphic evaluation of decryption โข removes large old noise โข adds small new noise (size small since decryption shallow)
AGM21: Oblivious Sampling of FHE ciphertexts!
25
![Page 26: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/26.jpg)
The Magic of Bootstrappingโข Assume that decryption always outputs 0 or 1โข even if input ct is not well formed
โข Then, bootstrapping always outputs proper encryption of 0 or 1!
Decct (sk)=skDecct , =Eval x
Even if input โctโ is a random element in ciphertext space!
26
![Page 27: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/27.jpg)
The Magic of Bootstrappingโข Assume that decryption outputs 0 w.o.p for random input
โข Then, bootstrapping outputs encryption of 0 w.o.p for random input
Decrand (sk)=skDecrand , =Eval 0
Given enc(sk), run dec homomorphically on random to generate encryption of 0 w.o.p!
27
![Page 28: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/28.jpg)
But, wait a minuteโฆโข Given encryption of 1, decryption outputs 1 w.o.p
โข Encryption of 1 is indistinguishable from random!
โข Can pretend as if ct1 = enc(1) is a random string
Decct1 (sk)=skDecct1 , =Eval 1
Pretend bootstrapping outputs enc(0) but actually enc(1)!28
![Page 29: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/29.jpg)
Can provide randomness R so it looks like Bootstrap(R) = enc(0) but actually enc(1)
OKโฆ but why is this useful?
![Page 30: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/30.jpg)
Leveraging our trick (binary msg space)
โข Let ๐ต ๐ฅ = ๐ธ๐ฃ๐๐(๐๐, ๐ท๐๐# , ๐๐ก$%) the bootstrapping procedure โข recall ๐ท๐๐+ ๐ ๐ = ๐ท๐๐(๐ ๐, ๐ฅ)
โข Denote homomorphic addition (mod 2) as๐ธ๐ฃ๐๐ ๐๐, +, ๐๐ก& , ๐๐ก' = ๐๐ก& โ ๐๐ก'
๐ต ๐ ! โโฏโ๐ต(๐ ") = Enc (Parity (๐ฅ!, โฆ , ๐ฅ"))
30
![Page 31: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/31.jpg)
Construction
๐บ๐๐:1. (๐๐, ๐ ๐) โ ๐บ๐๐2. ๐๐ก,* โ ๐ธ๐๐(๐๐, ๐ ๐)3. Output ๐๐ = ๐๐, ๐๐ก,* , ๐ ๐ = ๐ ๐
31
![Page 32: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/32.jpg)
๐ธ๐๐(๐๐, ๐):1. Sample ๐ฅ", โฆ , ๐ฅ$ โ {0,1} s.t. โ# ๐ฅ# = ๐ (๐๐๐ 2)2. For ๐ฅ# = 0, sample ๐ # โ โโ
3. For ๐ฅ# = 1, sample ๐# โ 0,1 โ! and set ๐ # = ๐ธ๐๐(๐๐, 1; ๐#)4. Compute ๐๐ก = ๐ต ๐ " โโฏโ๐ต(๐ $)5. Output ๐๐ก
๐ต โโ is a valid encryption of 0 w.h.p
Construction
32
![Page 33: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/33.jpg)
Construction
๐น๐๐๐(๐๐, ๐, ๐๐๐๐, ?๐):1. If ๐ = @๐, output ๐๐๐๐2. Sample ๐ โ [๐] s.t. ๐ฅ* = 13. Set ๐ฅ*( = 0 and ๐ *( = ๐ธ๐๐ ๐๐, 1; ๐*4. For ๐ โ ๐, set ๐ #( = ๐ # and ๐#( = ๐#5. Output ๐๐๐๐( = (๐ฅ"( , โฆ , ๐ฅ$( , ๐ #( +"!&!, ๐#
(+"!&")
Pseudorandom Ciphertext
By pretending one ciphertext enc(1) is random, parity flipped!
33
![Page 34: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/34.jpg)
Construction
๐ธ๐ฃ๐๐(๐๐, ๐, ๐๐ก(, โฆ , ๐๐ก%):1. Interpret ๐๐ก# as special FHE ciphertext ๐๐ก#2. Output ๐ธ๐ฃ๐๐(๐๐, ๐, ๐๐ก", โฆ , ๐๐ก*)
๐ท๐๐(๐๐ ๐, ๐๐ก): 1. Interpret ๐๐ก as special FHE ciphertext ๐๐ก2. Output ๐ท๐๐(๐ ๐, ๐๐ก)
34
As before!
![Page 35: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/35.jpg)
Special FHEDefinition and Instantiation
![Page 36: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/36.jpg)
Special FHE
Can be removed
Circular security
๐ต โโ is a valid
encryption of 0 w.h.p
36
Can be weakenedwhp to wnnp
Usually OK
Pseudo-random
CT
Det. eval and
dec
[BGV14] FHE satisfies all properties!
![Page 37: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/37.jpg)
Women in Science
37
![Page 38: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/38.jpg)
Is Science Objective?
โWhenever the subject of women in science comes up, there are people fiercely committed to the idea that sexism does not exist. They will point to everything and anything else to explain differences while becoming angry and condescending if you even suggest that discrimination could be a factor. But these people are wrong. This data shows they are wrong.โ
[Scientific American 2012]
38Can we be open to this idea?
![Page 39: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/39.jpg)
Society has biases!A girl receives literally thousands of suggestions over time that tell her what her place/role isโฆ
- My earliest memory: Blessings received when touching feet of elders
- Todayโs experience: Prepared for women who (seem to) need, not for women who (seem to) lead
- Enormous pressure felt by (esp.) MS/PhD students about โown desiresโ versus family/expectations. Seen many bright young girls giving up or compromising heavily on career
39
Sometimes, discards/rebels. Often internalizes/compromises.
![Page 40: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/40.jpg)
![Page 41: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/41.jpg)
Gender Biased Forms
Faculty daughter or wife?
Students referred as โboysโ
Prof. X and Shweta, Dr. Uday and wife
Future of country depends on โthese guysโ
![Page 42: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/42.jpg)
Society has biases! And Science?
42
Scientists are supposed to be objective, able to evaluate data and results without being swayed by emotions or biases. This is a fundamental tenet of science. What this extensive literature shows is, in fact, scientists are people, subject to the same cultural norms and beliefs as the rest of society.
[Prof. Alison Coil, UCSD]
![Page 43: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/43.jpg)
โข Women canโt do mathโข Women are good at rote learning not reasoningโข It is not feminine to argueโข Why would Google pay so much to hire a woman whose just
going to go on maternity leaveโข I saw a very beautiful woman on our floor today and I
wondered, what she is doing on the science floor?โข Your paper has better chances since it will get sympathy,
being an all woman paperโข You left your parents to follow your desires? Our daughters
would never do thatโข If you study so much, who will marry you?โข Women need to put family first
![Page 44: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/44.jpg)
Soโฆ what next?
44
It only matters if you let it!
โข Is this daunting/depressing? Seeing it is overcoming it!
โข Reject these suggestions and they cannot touch you.โข Calling it out? Take a call. โข Preserve creative energy: results talk loudest!โข Cultivate support systemโข Personally: Follow(ed) gut even when no support. Willing to accept consequences.
![Page 45: Cryptography: The Jugalbandi of Structure and Randomness](https://reader033.fdocuments.us/reader033/viewer/2022042708/626669e392d9407f3d56d903/html5/thumbnails/45.jpg)
No Looking Back!
45Thank You
Images Credit: MF Hussain, Hans HoffmanSlides Credit: Daniele Micciancio, Chris Peikert, Saleet Mossel
Life is not easy for any of us. But what of that? We must have perseverance and above all confidence in ourselves. We must believe that we are gifted for something and that this thing must be attained.
-Marie Curie (first scientist to be awarded a Nobel Prize in two different categories)