Foundations of Lattice Cryptography - UCI Mathematics · Not enough for cryptography! It doesn’t...

Foundations of Lattice Cryptography

Daniele Micciancio

Department of Computer Science and EngineeringUniversity of California, San Diego

August 12-16, 2013, (UCI)

Daniele Micciancio Foundations of Lattice Cryptography

This Talk

Introduction to Lattice Cryptography for Math/non-CS

Assume familiarity with math (number theory, lattices, . . . )Focus on computational issues, relevant tocryptography/computer science

High level view. If you want to know more ask questions!

Cryptography ⊆ Math ∩ Computer Science

Same old latticesMany interesting questions, both from math and cryptographyHere: what questions are relevant/important to cryptography?Will use familiar examples from number theory for illustration


Lattices and Bases

A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:

L =n∑

i=1

bi · Z = {Bx : x ∈ Zn}

The same lattice has many bases

L =n∑

i=1

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

b1

b2

c1

c2


Cryptography

Goal (informal): Build functions f : A→ B that are hard to break

Question 1: What does it mean to break a function?

Average-case vs Worst-case complexityPseudorandomness. . . for now, assume “break” = “invert”

Question 2: How do we argue about f being hard to break?

Attacks/Cryptanalysis: study the best known algorithms toinvert a functionSecurity proofs: show that inversting the function allows tosolve underlying mathematical problem


Familiar Example: Factoring based cryptography

Definition (Factoring problem)

Given composite N ∈ N, find P,Q > 1 such that N = P · Q

Cryptographic functions:Square(x) = x2 mod N (Rabin)Cube(x) = x3 mod N (low exponent RSA)

x x3

Cube

???

Definition (loRSA inversion problem)

Given N ∈ N, and y ∈ Z∗N , find x such that Cube(x) = y .


Relation between Inversion and Factoring problems

Square,Cube are easy to invert if factorization N = P · Q isknown

Invert modulo P and Q separatelyCombine the results using the Chinese Reminder Theorem

Factor N

Invert x2

Invert x3

Factor N

???

If you can invert x2, then you can factor N:

Choose random x ∈ Z∗N , and compute x ′ =√x2

If x ′ 6= ±x , then gcd(x − x ′,N) ∈ {P,Q} gives outfactorization


Lattice cryptography

Two “kinds” of cryptographic functions

Functions for which lattice algorithms are the best known, ormost natural attack. (E.g., NTRU, Gentry FHE, . . . )

Lattice Problem Invert f Lattice Problem???

Functions that are at least as hard to break as some standardlattice problem. (E.g., Ajtai, Regev, . . . )

Lattice Problem Invert f Lattice Problem

What does f look like?

What Lattice Problem shall we use?

f may look quite different from Lattice Problem!


Minimum Distance and Successive Minima

Minimum distance

λ1 = minx,y∈L,x6=y

‖x− y‖

= minx∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = min{r : dim span(B(r) ∩ L) ≥ i}

Examples

Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn

λ1λ2


Distance Function and Covering Radius

Distance function

µ(t,L) = minx∈L‖t− x‖

Covering radius

µ(L) = maxt∈span(L)

µ(t,L)

Spheres or radius µ(L) centeredaround all lattice points cover thewhole space

tµ

µ


Relations among lattice parameters

Theorem

λ1(L) ≤ λ2(L) ≤ . . . ≤ λn(L) ≤ 2µ(L) ≤√nλn(L)

Theorem (Banaszczyk)

1 ≤ 2λ1(L) · ρ(L∗) ≤ n.

1 ≤ λi (L) · λn−i+1(L∗) ≤ n.

Remarks:1 µ ≈ λn (up to

√n factors)

2 For some lattices λ1 � λ2 � . . .� λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =

√nλn

4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn

Problem

Give an explicit construction of a lattice satisfying (4)


Shortest Vector Problem

Definition (Shortest Vector Problem, SVPγ)

Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ γλ1

2λ1

b1

b2

λ1

Bx = 5b1 − 2b2


Shortest Independent Vectors Problem

Definition (Shortest Independent Vectors Problem, SIVPγ)

Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ γλn

2λ2

b1

b2

Bx1

λ2

Bx2


Closest Vector Problem

Definition (Closest Vector Problem, CVPγ)

Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ γµ from the target

tµ 2µ

b1

b2

Bx


Special Versions of SVP, SIVP and CVP

GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector

GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors

Bounded Distance Decoding (BDD): Solve CVP whenµ(t,L) < λ1(L)/(2γ),

Absolute Distance Decoding (ADD): Find lattice point Bxsuch that ‖Bx− t‖ ≤ γ · µ(L).


Relations among (general) lattice problems

SIVP ≈ ADD [MG’01]

SVP ≤ CVP [GMSS’99]

SIVP ≤ CVP [M’08]

BDD . SIVP

CVP . SVP [L’86]

GapSVP ≈ GapSIVP[LLS’90,B’93]

GapSVP . BDD [LM’09]

Public Key Cryptography

Private Key Cryptography

GapSVP GapSIVP BDD

SIVP ADD

SVP CVP

Question

What can we say the same about lattices with symmetries?

See [PR’07] for SVP ≤ CVP.


Worst-case vs. Average-case Hardness

Definition (Factoring problem)

Given composite N ∈ N, find P,Q > 1 such that N = P · Q

Algorithm A solves the factoring problem if for any compositeN, it outputs P,Q > 1 such that N = PQ.

Factoring is hard = No efficient algorithm solves Factoring

Same as: for every efficient algorithm A there exists compositeN such that A(N) does not output P,QThis is worst-case hardness: the hardest to factor N is indeedhard to factor

Not enough for cryptography!

It doesn’t matter if some key is hard to breakYou want assurance that your (randomly chosen) key is hardto break with high probebilityAverage-case hardness: most N are hard to factor


Difficulties with average-case complexity

Average-case complexity depends on input distribution

Let N be a uniformly random integer in {1, . . . , 2n}Easy on average: N = 2 · N2 with probability 50%!

Let N be uniformly random in {N ∈ {1, . . . , 2n} : N = P · Q}Still easy: there are O(2n/n) products with P = 2, and onlyO(2n/n2) products with P ≈ Q.

Let N = P · Q where P,Q ∈ {1, . . . , 2n/2} are chosenuniformly at random

Ok, maybe now we got it right. This is believed to be hard onaverage.

Belief is based on many decades (or centuries) of hard work!

Question

How do we know a distribution is right for cryptography?


Average-case hardness: inversion problem

Definition (loRSA inversion problem)

Given N ∈ N, and y = Cube(x), recover x

Assume N = P · Q is a hard distribution for N

Question: how shall we choose x?

Answer: choose x ∈ Z∗N uniformly at random

Why? This is provably the hardest distribution!

Assume we can invert Cube on the average (say, w/ prob. 1%)Say we want to invert y = Cube(x) (in the worst case)Compute y ′ = y · Cube(r) for randomly chosen r ∈ Z∗NNotice: x ′ = x · r ∈ Z∗N is uniformly random and Cube(x ′) = y ′

Recover x ′ = x · r (with probability 1%)Compute x = x ′/rRepeat 100 times to boost success probability


Cryptographic functions

Definition (Ajtai’s function)

fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ {0, 1}m

m

n

x ∈ {0, 1}m 0 1 1 0 1 0 0 (q = 10)

A ∈ Zn×mq

1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9

y = Ax ∈ Znq

2271

Cryptanalysis (Inversion)

Given A and y, find x ∈ {0, 1}m such that Ax = y


Ajtai’s function and lattice problems

Cryptanalysis (Inversion)

Given A and y, find small solution x ∈ {0, 1}m to inhomogeneouslinear system Ax = y (mod q)

Inverting Ajtai’s function can be formulated as a lattice problem.

Easy problem: find (arbitrary) integer solution t to system oflinear equations At = y (mod q)

All solutions to Ax = y are of the form t + L where

L = {x ∈ Zm : Ax = 0 (mod q)}

Cryptanalysis problem: find a small vector in t + LEquivalently: find a lattice vector v ∈ L close to t

Inverting Ajtai’s function is an average case instance of the ClosestVector Problem where the lattice is chosen according to L, forA ∈ Zm×n

q and x is a random “short” vector.


Breaking a function

What does it mean to “break” f : A→ B?

Recovery Problem: Given f and f (x), recover x

with nonnegligible probability when f , x are chosen at random

Inversion Problem: Given f and y ∈ B, find x s.t. f (x) = y

with nonnegligible probability when f , x are chosen at random

Decision Problem: Given f and y ∈ B, determine if y ∈ f (A)

Given random f and y ∈ B, determine if y was chosen asy = f (x) (for random x), or uniformly from y ∈ B.

Definition (Pseudorandomness)

f (x) looks like a uniformly random element of f (A).


Pseudorandomness

the output of f : A→ B is pseudorandom if f (A) looks like B.

interesting property when |A| � |B|.Very important in cryptography:

Typically f (x) is used as an input or key to some othercryptographic functionIf f (x) does not look random, it cannot be used as a keyExample: if f (x) is used as a one-time pad, then correlationsin f (x) reveal correlations in the message.

Pseudorandomness can be very tricky:

Example: square(x) = x2 (mod N)Decision problem: determine if y is a quadratic residueAre random quadratic residues hard to recognize?Is testing quadratic residuosity as hard as factoring?


Lattice Based Cryptography

Ajtai: fA(x) = Ax (mod q), where A ∈ Zn×mq and x ∈ {0, 1}m

are chosen uniformly at random.

Regev: Similar, but for parameters that make fA injective

Lattice Problem: GapSVP approximate λ1 within a factorO(n) in the worst-case

GapSVP Invert random f f (x) ≈ Znq?

This is the right way to use lattices!


Lattices with symmetries

Why use lattices with symmetries?

fA(x) = Ax can be computed much faster when A is astructured matrix, both in theory and practice

E.g., SWIFFT function [LMPR’08] performance comparableto block ciphers

Mathematically attractive (algebraic number theory, etc.)

Cryptanalysis:

Are structured A’s easier to break?

Is fA(x) still pseudorandom?

Security proof:

fA still hard to invert, assuming worst-case hardness of SVPon algebraic lattices [M’02]

One-way and pseudorandom even in the injective setting[LPR’10,LPR’13]


Limitations of proof based security analysis

Proof of security shows that

uniform A ∈ Zn×mq is the right distribution for cryptography,

fA(x) = Ax (mod q) is the right way to use A.

However it does not provide a good indication of concretehardness of breaking fA.

Conclusion

Security proof provides strong qualitative results pointing tothe right distribution to be used in lattice cryptography

Concrete security is better assessed by cryptanalysis / latticealgorithms


Lattice Algorithms

Best known attack against lattice cryprography

Most accurate method to assess current security level oflattice cryptography

Many other applications:

Algebraic Number TheoryFactoring polynomialsCoding theoryInteger Programming. . .


The LLL Algorithm [LLL’82]

Landmark result in theoretical computer science

Elegant theoretical analysis showing it approximates SVPwithin γ = 2O(n) factor

Works much better in practice when run on “random” lattices

Still, as dimension grows, experiments confirm γ = 2O(n)

approximation

Questions

1 Can we do better that LLL?

2 Can lattice algorithms take advantage of lattice symmetries?


Beyond LLL: Exact Algorithms

Lattice algorithms for the exact solution of SVP, CVP, etc.Time Space Prob. Problem

Enum. [K’87] 2O(n log n) poly no SVP, CVP, SIVP

Sieve [AKS’01] 2O(n) exp yes SVP

Voronoi [MV’10] 2O(n) exp no SVP, CVP, SIVP

All work for arbitrary lattices

Use very different techniques/ideas

Can these methods take advantage of lattice symmetries?

Can they solve BDD faster than SVP/CVP?


Beyond LLL: Polynomial time approximation

Generalize LLL using exact algorithms for SVP in smalldimensional sublattices

Block Korkine Zolotarev (BKZ) [Schnorr’87]

Rankin/Mordell inequality [GHKN’06,GN’08,DM’13]

Polynomial time approximation

LLL+Enumeration: γ = 2O(n(log log n)2/ log n)

LLL+Sieving: γ = 2O(n log log n/ log n) (randomized)

LLL+Voronoi: γ = 2O(n log log n/ log n)

Smooth trade-off between running time and approximation:

γ ≈ 2O(n log logT/ logT )


References

MG Micciancio, Goldwasser (Springer 2001)GMSS Goldreich, Micciancio, Safra, Seifert (Inf. Proc. Letters, 1999)

M Micciancio (SODA 2008) (FOCS 2002/Comp. Compl. 2007)L Lovasz (SIAM 1986)

LLS Lagarias, Lenstra, Schnorr (Combinatorica 1990)B Banaszczyk (Math. Ann. 1993)

LM Lyubashevsky, Micciancio (Crypto 2009)PR Peikert, Rosen (STOC 2007)

LPR Lyubashevsky, Peikert, Regev (Eurocrypt 2010, 2013)LMPR Lyubashevsky, Micciancio, Peikert, Rosen (FSE 2008)

LLL Lenstra, Lenstra, Lovasz (Math. Ann. 1982)K Kannan (STOC 1983)

AKS Ajtai, Kumar, Sivakumar (STOC 2001)MV Miccincio, Voulgaris (STOC 2010, SIAM J. Comp. 2013)

GHKN Gama, Howgrave-Graham, Koy, Nguuyen (Crypto 2006)GN Gama, Nguyen (STOC 2008)DM Dadush, Micciancio (SODA 2013)


Blurring a lattice

Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.

How much noise is needed? [MR]

‖r‖ ≤ (log n) ·√n · λn/2

Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈

√nλn.

a ∈ Rn is uniformly distributed.

vr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

avr

a


Security of Ajtai’s function (sketch)

Generate random points ai = vi + ri , where

vi is a random lattice pointri is a random error vector of length ‖ri‖ ≈

√nλn

A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, q = nO(1), m = O(n log q) = O(n log n), so

if we can break Ajtai’s function fA, thenwe can find a vector z ∈ {−1, 0, 1}m such that∑

(vi + ri )zi =∑

aizi = 0

Rearranging the terms yields a lattice vector∑vizi = −

∑rizi

of length at most ‖∑

rizi‖ ≈√m ·max ‖ri‖ ≈ n · λn


Foundations of Lattice Cryptography - UCI Mathematics · Not enough for cryptography! It doesn’t...

Documents

Transcript of Foundations of Lattice Cryptography - UCI Mathematics · Not enough for cryptography! It doesn’t...