DOCSLIB.ORG

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in Helib and SEAL

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in Helib and SEAL On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev.1 2 Zm×n 2 Zn 2 Zm Given (A;(c) with) uniform A q , uniform s q and small e U Zm is c $ q or 0 1 0 1 0 1 n ! B C B C B C B C B C B C B C B C 0 1 B C B C B C B C B C B C B C B C B C B C B C B c C = B A C · @ s A + B e C : B C B C B C B C B C B C B C B C B C @ A @ A @ A 1Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In: 37th ACM STOC. ed. by Harold N. Gabow and Ronald Fagin. ACM Press, May 2005, pp. 84–93. FHE-schemes based on LWE BGV Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012. Ed. by Shafi Goldwasser. ACM, Jan. 2012, pp. 309–325, implemented HELib FV Junfeng Fan and Frederik Vercauteren. Somewhat Practical Fully Homomorphic Encryption. Cryptology ePrint Archive, Report 2012/144. http://eprint.iacr.org/2012/144. 2012, implemented in SEAL v2 Small Secrets • HElib typically chooses s such that w = 64 entries are 1 and all remaining entries are 0, regardless of dimension n. {− g • SEAL chooses si $ 1; 0; 1 . How many bits of security does this cost? Hardness: Reductions v Constructions “A major part of our reduction […] is therefore dedicated to showing reduction from LWE (in dimension n) with arbitrary Zn secret in q to LWE (in dimension n log2 q) with a secret chosen uniformly over f0; 1g.”2 “This brings up the question of whether one can get better attacks against LWE instances with a very sparse secret (much smaller than even the noise). […] it seems that the very sparse secret should only add maybe one bit to the modulus/noise ratio.”3 2Zvika Brakerski et al. Classical hardness of learning with errors. In: 45th ACM STOC. ed. by Dan Boneh, Tim Roughgarden, and Joan Feigenbaum. ACM Press, June 2013, pp. 575–584. 3Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic Evaluation of the AES Circuit. Cryptology ePrint Archive, Report 2012/099. http://eprint.iacr.org/2012/099. 2012. Lattice Attacks Primal Attack solve Bounded Distance Decoding problem (BDD), i.e. 0 0 find s s.t. kw − ckis minimised, with w = A · s using • uSVP embedding or • Babai’s nearest planes resp. enumeration. Dual Attack solve Short Integer Solutions problem (SIS) in the left kernel of A, i.e. find a short w such that w · A = 0 and check if hw; ci = w · (A · s + e) = hw; ei is short. Dual Attack A reduced lattice basis contains short vectors. In particular, the first k k ≈ m · n=m vector is short: v δ0 q . 1. Construct a basis of the dual lattice from A. 2. Run lattice reduction algorithm to obtain short vectors vi. h i 4 3. Check if vi; c are small. 4Daniele Micciancio and Oded Regev. Lattice-based Cryptography. In: Post-Quantum Cryptography. Ed. by Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen. Berlin, Heidelberg, New York: Springer, Heidelberg, 2009, pp. 147–191. 1. Amortising Costs Dual Attack: Trade-off Given an LWE instance characterised by n, α, q and a vector v of length kvk such that v · A ≡ 0 (mod q), the advantage " of distinguishing hv; ci from random is close to5 exp(−π(kvk · α)2). 400 ) 350 BKZ cost ( 2 300 log 250 0 10 20 30 40 50 60 " = 1=2i 5Richard Lindner and Chris Peikert. Better Key Sizes (and Attacks) for LWE-Based Encryption. In: CT-RSA 2011. Ed. by Aggelos Kiayias. Vol. 6558. LNCS. Springer, Heidelberg, Feb. 2011, pp. 319–339. Amplifying Advantage To achieve constant advantage, repeat experiment ≈ 1="2 times for majority vote. ) 400 BKZ cost · i 2 2 350 ( 2 log 0 10 20 30 40 50 60 " = 1=2i Just do it™ Amortising Costs Avoiding 1="2 calls to BKZ in block size β. 1. L basis for fy 2 Zm : y · A ≡ 0 mod qg 2. R BKZ-β reduced basis for L 3. Repeat: 3.1 U $ a sparse unimodular matrix with small entries 0 · 3.2 Ri BKZ-β reduced basis for U R 3.3 yi shortest row vector in Ri h i 3.4 wi yi; c 4. Decide if wi is uniform or not. We give empirical evidence that the quality of Ri isn’t “too bad”: for 0 · m · n=m β = 2, they are < 2 δ0 q with δ0 for BKZ-β. 2. Scaling Scaling for Dual Attack • We do not need to find v · A ≡ 0 mod q, but any short v such that v · A = w is short suffices. • Consider the normal form of the dual attack on LWE Λ(A) = f(x; y) 2 Zm × Zn : x · A ≡ y mod qg • Given a short vector (v; w) 2 Λ(A) compute hv; ci = v · (A · s + e) = hw; si + hv; ei Scaling for Dual Attack • Aim is to balance k hw; si k ≈ k hv; ei k when ksk is small. • Scale the lattice6 Λ(A) = f(x; y=c) 2 Zm × (1=c · Z)n : x · A ≡ y mod qg for some constant c. • Lattice reduction produces a vector (v; w) with k k ≈ (m+n) · n=(m+n) (v; w) δ0 (q=c) : • The final error we aim to distinguish from uniform is v · A · s + hv; ei = hc · w; si + hv; ei : 6Shi Bai and Steven D. Galbraith. Lattice Decoding Attacks on Binary LWE. In: ACISP 14. Ed. by Willy Susilo and Yi Mu. Vol. 8544. LNCS. Springer, Heidelberg, July 2014, pp. 322–337. doi: 10.1007/978-3-319-08344-5_21. Scaling for Dual Attack From v · A · s + hv; ei = hc · w; si + hv; ei : we find c by solving α q p c = p · m − n 2 π h which equalises the noise contributions of both parts of the sum. 3. Sparse Secrets Ignoring Components • When the secret is sparse, most columns of A are irrelevant. • The probability of getting lucky (si = 0) when ignoring k random 6 components in dimension n with in total h entries si = 0 follows a hypergeometric distribution ( ) ( ) kY−1 n−h h P = 1 − = (k ) k n − i n i=0 k ≈ • Solving (with high enough probability) 1=Pk instances in dimension n − k solves our instance at dimension n. Ignoring Components in Dual Attack 0 v 1 0 A 1 0 s 1 v a ; ··· a − a ··· a ; − B 0 C B 0 0 0;k 1 0;k 0 n 1 C s0 B v C B a ··· a − a ··· a − C B C B 1 C B 1;0 1;k 1 1;k 1;n 1 C B . C B C B ··· ··· C B . C B v2 C B a2;0 a2;k−1 a2;k a2;n−1 C B C ? B C B C B C ≈ B . C · B . C · Bsk−1C 0 B . C B . .. .. C B C B C B C B sk C B C B ··· ··· C B C Bvm−3C B am−3;0 am−3;k−1 am−3;k am−3;n−1 C B . C @ A @ ··· ··· A @ . A vm−2 am−2;0 am−2;k−1 am−2;k am−2;n−1 . ··· ··· − vm−1 am−1;0 am−1;k−1 am−1;k am−1;n−1 sn 1 0 1 s0 B C B . C B . C B . C ( ) B C ? 0 ··· 0 ··· Bsk−1C ≈ a a − 0 0 · B C 0;0 0;k 1 B s C B k C B C . @ . A sn−1 Ignoring Components in Dual Attack 0 v 1 0 A 1 0 s 1 v a ; ··· a − a ··· a ; − B 0 C B 0 0 0;k 1 0;k 0 n 1 C 0 B v C B a ··· a − a ··· a − C B C B 1 C B 1;0 1;k 1 1;k 1;n 1 C B . C B C B ··· ··· C B . C B v2 C B a2;0 a2;k−1 a2;k a2;n−1 C B C B C B C B C ≈ B . C · B . C · B 0 C 0 B . C B . .. .. C B C B C B C B sk C B C B ··· ··· C B C Bvm−3C B am−3;0 am−3;k−1 am−3;k am−3;n−1 C B . C @ A @ ··· ··· A @ . A vm−2 am−2;0 am−2;k−1 am−2;k am−2;n−1 . ··· ··· − vm−1 am−1;0 am−1;k−1 am−1;k am−1;n−1 sn 1 0 1 0 B C B . C B . C B . C ( ) B C 0 ··· 0 ··· B 0 C = a a − 0 0 · B C 0;0 0;k 1 B s C B k C B C . @ . A sn−1 h · i h i c wk:; sk: + v; e Postprocessing 0 v 1 0 A 1 0 s 1 v a ; ··· a − a ··· a ; − B 0 C B 0 0 0;k 1 0;k 0 n 1 C 1 B v C B a ··· a − a ··· a − C B C B 1 C B 1;0 1;k 1 1;k 1;n 1 C B .
Load more

Recommended publications
  • Reproducibility and Pseudo-Determinism in Log-Space
    Reproducibility and Pseudo-determinism in Log-Space by Ofer Grossman S.B., Massachusetts Institute of Technology (2017) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering and Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY May 2020 c Massachusetts Institute of Technology 2020. All rights reserved. Author...................................................................... Department of Electrical Engineering and Computer Science May 15, 2020 Certified by.................................................................. Shafi Goldwasser RSA Professor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by................................................................. Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chair, Department Committee on Graduate Students 2 Reproducibility and Pseudo-determinism in Log-Space by Ofer Grossman Submitted to the Department of Electrical Engineering and Computer Science on May 15, 2020, in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering and Computer Science Abstract Acuriouspropertyofrandomizedlog-spacesearchalgorithmsisthattheiroutputsareoften longer than their workspace. This leads to the question: how can we reproduce the results of a randomized log space computation without storing the output or randomness verbatim? Running the algorithm again with new
    [Show full text]
  • Fault-Tolerant Distributed Computing in Full-Information Networks
    Fault-Tolerant Distributed Computing in Full-Information Networks Shafi Goldwasser∗ Elan Pavlov Vinod Vaikuntanathan∗ CSAIL, MIT MIT CSAIL, MIT Cambridge MA, USA Cambridge MA, USA Cambridge MA, USA December 15, 2006 Abstract In this paper, we use random-selection protocols in the full-information model to solve classical problems in distributed computing. Our main results are the following: • An O(log n)-round randomized Byzantine Agreement (BA) protocol in a synchronous full-information n network tolerating t < 3+ faulty players (for any constant > 0). As such, our protocol is asymp- totically optimal in terms of fault-tolerance. • An O(1)-round randomized BA protocol in a synchronous full-information network tolerating t = n O( (log n)1.58 ) faulty players. • A compiler that converts any randomized protocol Πin designed to tolerate t fail-stop faults, where the n source of randomness of Πin is an SV-source, into a protocol Πout that tolerates min(t, 3 ) Byzantine ∗ faults. If the round-complexity of Πin is r, that of Πout is O(r log n). Central to our results is the development of a new tool, “audited protocols”. Informally “auditing” is a transformation that converts any protocol that assumes built-in broadcast channels into one that achieves a slightly weaker guarantee, without assuming broadcast channels. We regard this as a tool of independent interest, which could potentially find applications in the design of simple and modular randomized distributed algorithms. ∗Supported by NSF grants CNS-0430450 and CCF0514167. 1 1 Introduction The problem of how n players, some of who may be faulty, can make a common random selection in a set, has received much attention.
    [Show full text]
  • A Decade of Lattice Cryptography
    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • Communication Complexity (For Algorithm Designers)
    Full text available at: http://dx.doi.org/10.1561/0400000076 Communication Complexity (for Algorithm Designers) Tim Roughgarden Stanford University, USA [email protected] Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000076 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is T. Roughgarden. Communication Complexity (for Algorithm Designers). Foundations and Trends R in Theoretical Computer Science, vol. 11, nos. 3-4, pp. 217–404, 2015. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-115-3 c 2016 T. Roughgarden All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Cen- ter, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for internal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • Cryptology and Computational Number Theory (Boulder, Colorado, August 1989) 41 R
    http://dx.doi.org/10.1090/psapm/042 Other Titles in This Series 50 Robert Calderbank, editor, Different aspects of coding theory (San Francisco, California, January 1995) 49 Robert L. Devaney, editor, Complex dynamical systems: The mathematics behind the Mandlebrot and Julia sets (Cincinnati, Ohio, January 1994) 48 Walter Gautschi, editor, Mathematics of Computation 1943-1993: A half century of computational mathematics (Vancouver, British Columbia, August 1993) 47 Ingrid Daubechies, editor, Different perspectives on wavelets (San Antonio, Texas, January 1993) 46 Stefan A. Burr, editor, The unreasonable effectiveness of number theory (Orono, Maine, August 1991) 45 De Witt L. Sumners, editor, New scientific applications of geometry and topology (Baltimore, Maryland, January 1992) 44 Bela Bollobas, editor, Probabilistic combinatorics and its applications (San Francisco, California, January 1991) 43 Richard K. Guy, editor, Combinatorial games (Columbus, Ohio, August 1990) 42 C. Pomerance, editor, Cryptology and computational number theory (Boulder, Colorado, August 1989) 41 R. W. Brockett, editor, Robotics (Louisville, Kentucky, January 1990) 40 Charles R. Johnson, editor, Matrix theory and applications (Phoenix, Arizona, January 1989) 39 Robert L. Devaney and Linda Keen, editors, Chaos and fractals: The mathematics behind the computer graphics (Providence, Rhode Island, August 1988) 38 Juris Hartmanis, editor, Computational complexity theory (Atlanta, Georgia, January 1988) 37 Henry J. Landau, editor, Moments in mathematics (San Antonio, Texas, January 1987) 36 Carl de Boor, editor, Approximation theory (New Orleans, Louisiana, January 1986) 35 Harry H. Panjer, editor, Actuarial mathematics (Laramie, Wyoming, August 1985) 34 Michael Anshel and William Gewirtz, editors, Mathematics of information processing (Louisville, Kentucky, January 1984) 33 H. Peyton Young, editor, Fair allocation (Anaheim, California, January 1985) 32 R.
    [Show full text]
  • 31 International Symposium on Distributed Computing Andréa W
    31 International Symposium on Distributed Computing DISC 2017, October 16–20, Vienna, Austria Edited by Andréa W. Richa LIPIcs – Vol. 91 – DISC2017 www.dagstuhl.de/lipics Editor Andréa W. Richa Computer Science and Engineering School of Computing, Informatics and Decision Systems Engineering (CIDSE) Arizona State University Tempe, AZ, USA [email protected] ACM Classification 1998 C.2 Computer-Communication Networks, C.2.4 Distributed Systems, D.1.3 Concurrent Programming, E.1 Data Structures, F Theory of Computation, F.1.1 Models of Computation, F.1.2 Modes of Computation ISBN 978-3-95977-053-8 Published online and open access by Schloss Dagstuhl – Leibniz-Zentrum für Informatik GmbH, Dagstuhl Publishing, Saarbrücken/Wadern, Germany. Online available at http://www.dagstuhl.de/dagpub/978-3-95977-053-8. Publication date October, 2017 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available in the Internet at http://dnb.d-nb.de. License This work is licensed under a Creative Commons Attribution 3.0 Unported license (CC-BY 3.0): http://creativecommons.org/licenses/by/3.0/legalcode. In brief, this license authorizes each and everybody to share (to copy, distribute and transmit) the work under the following conditions, without impairing or restricting the authors’ moral rights: Attribution: The work must be attributed to its authors. The copyright is retained by the corresponding authors. Digital Object Identifier: 10.4230/LIPIcs.DISC.2017.0 ISBN 978-3-95977-053-8 ISSN 1868-8969 http://www.dagstuhl.de/lipics 0:iii LIPIcs – Leibniz International Proceedings in Informatics LIPIcs is a series of high-quality conference proceedings across all fields in informatics.
    [Show full text]
  • Arxiv:2106.11534V1 [Cs.DL] 22 Jun 2021 2 Nanjing University of Science and Technology, Nanjing, China 3 University of Southampton, Southampton, U.K
    Noname manuscript No. (will be inserted by the editor) Turing Award elites revisited: patterns of productivity, collaboration, authorship and impact Yinyu Jin1 · Sha Yuan1∗ · Zhou Shao2, 4 · Wendy Hall3 · Jie Tang4 Received: date / Accepted: date Abstract The Turing Award is recognized as the most influential and presti- gious award in the field of computer science(CS). With the rise of the science of science (SciSci), a large amount of bibliographic data has been analyzed in an attempt to understand the hidden mechanism of scientific evolution. These include the analysis of the Nobel Prize, including physics, chemistry, medicine, etc. In this article, we extract and analyze the data of 72 Turing Award lau- reates from the complete bibliographic data, fill the gap in the lack of Turing Award analysis, and discover the development characteristics of computer sci- ence as an independent discipline. First, we show most Turing Award laureates have long-term and high-quality educational backgrounds, and more than 61% of them have a degree in mathematics, which indicates that mathematics has played a significant role in the development of computer science. Secondly, the data shows that not all scholars have high productivity and high h-index; that is, the number of publications and h-index is not the leading indicator for evaluating the Turing Award. Third, the average age of awardees has increased from 40 to around 70 in recent years. This may be because new breakthroughs take longer, and some new technologies need time to prove their influence. Besides, we have also found that in the past ten years, international collabo- ration has experienced explosive growth, showing a new paradigm in the form of collaboration.
    [Show full text]
  • Verifiable Random Functions
    Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed . was provided. Therefore, though quite large, the applicability of pseu- dorandom oracles is limited: for instance, to settings in which (1) the “seed owner”, and thus the one evaluating 1Introduction the pseudorandom oracle, is totally trusted; or (2) it is to the seed-owner’s advantage to evaluate his pseudorandom oracle correctly; or (3) there is absolutely nothing for the PSEUDORANDOM ORACLES. Goldreich, Goldwasser, and seed-owner to gain from being dishonest. Micali [GGM86] show how to simulate a random ora- f x One efficient way of enabling anyone to verify that s b cle from a-bit strings to -bit strings by means of a con- f x really is the value of pseudorandom oracle s at point struction using a seed, that is, a secret and short random clearly consists of publicizing the seed s.However,this string.
    [Show full text]
  • Verifiable Random Functions
    Verifiable Random Functions The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Micali, Silvio, Michael Rabin, and Salil Vadhan. 1999. Verifiable random functions. In Proceedings of the 40th Annual Symposium on the Foundations of Computer Science (FOCS `99), 120-130. New York: IEEE Computer Society Press. Published Version http://dx.doi.org/10.1109/SFFCS.1999.814584 Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:5028196 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed .
    [Show full text]
  • Computer Science and Its Impact on Our Future
    האקדמיה הלאומית הישראלית למדעים והאקדמיה הלאומית למדעים של ארצות הברית מתכבדות להזמינכם לכינוס משותף The Israel Academy of Sciences and Humanities and the National Academy of Sciences of the United States take pleasure in inviting you to The Inaugural US−Israel Blavatnik Scientific Forum on Computer Science And Its Impact On Our Future שני-רביעי, ט״ז-י״ח באלול תשע״ט Monday-Wednesday, September 16-18, 2019 Program Monday, September 16, 2019 Tuesday, September 17, 2019 1000 Greetings SESSION III Nili Cohen, President, Israel Academy of Sciences and Chair: Shimon Ullman, Weizmann Institute of Science Humanities (IASH) Quantum Science & Technology – Part II Ken Fulton, Executive Director, National Academy of 0900 Dorit Aharonov, The Hebrew University of Jerusalem Sciences (NAS) Quantum Information Science: A Computational Lens on SESSION I Quantum Physics Chair: David Harel, Weizmann Institute of Science 0945 Thomas Vidick, California Institute of Technology Secure Computation with Quantum Devices: Quantum Science & Technology – Part I From Device-Independent Cryptography to Verification 1015 Charles H. Bennett, IBM Thomas J. Watson Research Center of Quantum Computers The Quantum Impact on Technology and Fundamental Questions 1030 Coffee Break 1100 Ady Stern, Weizmann Institute of Science Computer Science & Society – Part II Harnessing Topological Physics for Quantum Computation 1100 Shafi Goldwasser, Massachusetts Institute of Technology 1145 Coffee Break Safe Machine Learning Computer Science & Society – Part I 1145 Moshe Vardi, Rice University
    [Show full text]
  • An Interview with Shafi Goldwasser & Silvio Micali
    last byte DOI:10.1145/2461256.2461281 Leah Hoffmann Q&A Cracking the Code Turing Award recipients Shafi Goldwasser and Silvio Micali talk about proofs, probability, and poker. THOUGH THEIR ROUTES to computer science differed, ACM A.M. Turing Award recipients Shafi Goldwasser and Silvio Micali have forged a com- mon path in the field since they met in graduate school. Goldwasser was born in Israel and got hooked on programming in college at Carnegie Mellon University. Micali was born in Italy and discovered his interest in the field at the University of Rome through courses in lambda cal- culus and logic. Now both at MIT (Gold- wasser holds a joint appointment at the Weizmann Institute of Science in Israel), the two have revolutionized cryptography by working through fun- damental questions and forging a link with computational complexity. Since their groundbreaking 1983 paper on probabilistic encryption, their work has transformed the scope of cryptog- raphy from encrypting private mes- sages to strengthening data security, facilitating financial transactions, and supporting cloud computing. What drew you both to the field? SILVIO: I started in physics and switched to mathematics. Then, to- ward the very end, I took two courses in discrete mathematics. So I switched to theoretical computer science and went to Berkeley, and that’s where I I drove up with a friend to see Berkeley cited and an exciting bunch. met Shafi. on a very sunny day. It was beautiful— SILVIO: By contrast, when I landed at SHAFI: I went to college at Carnegie green hills, bright blue skies—so off I Berkeley, it was raining, and I discov- Mellon in applied mathematics.
    [Show full text]
  • 17Th Knuth Prize: Call for Nominations
    17th Knuth Prize: Call for Nominations The Donald E. Knuth Prize for outstanding contributions to the foundations of computer science is awarded for major research accomplishments and contri- butions to the foundations of computer science over an extended period of time. The Prize is awarded annually by the ACM Special Interest Group on Algo- rithms and Computing Theory (SIGACT) and the IEEE Technical Committee on the Mathematical Foundations of Computing (TCMF). Nomination Procedure Anyone in the Theoretical Computer Science com- munity may nominate a candidate. To do so, please send nominations to : [email protected] with a subject line of Knuth Prize nomi- nation by February 15, 2017. The nomination should state the nominee's name, summarize his or her contributions in one or two pages, provide a CV for the nominee or a pointer to the nominees webpage, and give telephone, postal, and email contact information for the nominator. Any supporting letters from other members of the community (up to a limit of 5) should be included in the package that the nominator sends to the Committee chair. Supporting letters should contain substantial information not in the nomination. Others may en- dorse the nomination simply by adding their names to the nomination letter. If you have nominated a candidate in past years, you can re-nominate the candi- date by sending a message to that effect to the above address. (You may revise the nominating materials if you desire). Criteria for Selection The winner will be selected by a Prize Committee consisting of six people appointed by the SIGACT and TCMF Chairs.
    [Show full text]