Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009.

Introduction to

Lattice-Based Cryptography

Vadim LyubashevskyTel-Aviv University

September 9, 2009

Cryptographic Hardness Assumptions

Factoring is hard

Discrete Log Problem is hard

Diffie-Hellman problem is hard

Decisional Diffie-Hellman problem is hard

Problems involving Elliptic Curves are hard

Many assumptions

Why Do We Need More Assumptions?

Number theoretic functions are rather slow

Factoring, Discrete Log, Elliptic curves are “of the same flavor”

Quantum computers break all number theoretic assumptions

Lattice-Based Cryptography

Seemingly very different assumptions from factoring, discrete log, elliptic curves

Simple descriptions and implementations

Very parallelizable

Resists quantum attacks (we think)

Security based on worst-case problems

Average-Case Assumptions vs.Worst-Case Assumptions

Example: Want to base a scheme on factoring

Need to generate a “hard-to-factor” N

How?

Need a “hard distribution”

Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number

Lattice Problems

Small Integer Solution

Problem (SIS)

Learning With Errors

Problem (LWE)

One-Way FunctionsCollision-Resistant Hash

FunctionsDigital Signatures

Identification Schemes

(Minicrypt)

Public Key EncryptionOblivious Transfer

Identity-Based EncryptionHierarchical Identity-Based

Encryption

(Cryptomania)

Worst-Case

Average-Case

Lattices

Lattice: A discrete additive subgroup of Rn

Lattices

Basis: A set of linearly independent vectors that generate the lattice.

Shortest Independent Vector Problem (SIVP)

Find n short linearly independent vectors

Approximate Shortest Independent Vector Problem

Find n pretty short linearly independent vectors

Bounded Distance Decoding(BDD)

Given a target vector that's close to the lattice, find the nearest lattice vector

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

BDD


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

SIVPquantum

Small Integer Solution Problem

a1

a2

am in Z

qn

Find: non-trivial solution z1,...,z

m in {-1,0,1} such that:

z1

z2

zm

+ + … + = 0

Given: Random vectors a1,...,a

m in Z

qn

Observations:If size of zi is not restricted, then the problem is

trivialImmediately implies a collision-resistant hash function

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

Collision-Resistant Hash Function

a1

a2

am in Z

qn



z1

z2

zm

+ + … + = 0

Given: Random vectors a1,...,a

m in Z

qn

A=(a1,...,am) Define hA: {0,1}m → Zqn where

hA(z1,...,zm)=a1z1 + … + amzm

Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size

= qn) Set m>nlog q to get compression

Collision: a1z1 + … + amzm = a1y1 + … + amym

So, a1(z1-y1) + … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

BDD


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

SIVP

For Any Lattice ...

Consider the distribution obtained by:1. Pick a uniformly random lattice point2. Sample from a Gaussian distribution centered at

the lattice point

One-Dimensional Gaussian Distribution

Two-Dimensional Gaussian Distribution

Image courtesy of wikipedia

Gaussians on Lattice Points

Image courtesy of Oded Regev

Shortest Independent Vector Problem (SIVP)

Find n short linearly independent vectors

Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the

longest vector in SIVP solution

Worst-Case to Average-Case Reduction

Worst-Case to Average-Case Reduction

0 1 2 021 1 2 0 1

01

2

01

20

12

Important: All lattice points have label (0,0) and

All points labeled (0,0) are lattice points (0n in n dimensional lattices)

0 1 2 021 1 2 0 1

01

2

01

20

12

How to use the SIS oracle to find a short vector in any lattice:Repeat m times:

Pick a random lattice point

0 1 2 021 1 2 0 1

01

2

01

20

12


Pick a random lattice pointGaussian sample a point around the lattice point

0 1 2 021 1 2 0 1

01

2

01

20

12



All the samples are uniform in Zq

n

0 1 2 021 1 2 0 1

01

2

01

20

12



Give the m “Zqn samples” a1,...,am to the SIS oracle

Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +

amzm = 0

0 1 2 021 1 2 0 1

01

2

01

20

12



amzm = 0

= si

= vi s1z1+...+smzm is a lattice vector

(v1+r1)z1+...+(vm+rm)zm is a lattice vector

(v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice

vectorSo r1z1+...+rmzm is a lattice vector

vi + ri =

si

0 1 2 021 1 2 0 1

01

2

01

20

12



amzm = 0

= si

= vi

So r1z1+...+rmzm is a lattice vector

ri are short vectors, zi are in {-1,0,1}

So r1z1+...+rmzm is a short lattice vectorvi + ri =

si

Some Technicalities You can’t sample a “uniformly random” lattice point

In the proofs, we work with Rn / L rather than Rn

So you don't need to sample a random point lattice point

What if r1z1+...+rmzm is 0?

Can show that with high probability it isn't

Given an si, there are multiple possible ri

• Gaussian sampling doesn’t give us points on the grid

You can round to a grid point

Must be careful to bound the “rounding distance”

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

Learning With Errors Problem

Oracle 1

a1,

b1=<a1,s>+e1

a2,

b2=<a2,s>+e2

…s is chosen randomly in Zq

n

ai are chosen randomly from

Zqn

ei are “small” elements in Zq

Oracle 2

a1, b1

a2, b2

…

ai are chosen randomly from

Zqn

bi are chosen randomly from

Zq

Distinguish between these two distributions:


. . .

a1

a2

am

s

+e

=b

ai , s are in Zqn

e is in Zqm All coefficients of e are < sqrt(q)


A

s

+e

=b

A is in Zqm x n s is in Zq

n e is in Zqm

All coefficients of e are < sqrt(q)LWE problem: Distinguish (A,As+e) from (A,b) where b is random

Public Key Encryption Based on LWE

A

s

+ e = b

Secret Key: s in Zqn

Public Key: A in Zqm x n , b=As+e

each coefficient of e is < sqrt(q)

r

A

r

b

Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2))

+ z(q/2)

Proof of Semantic Security

As

+ e = b

r

A

r

b + z(q/2)

If b is random, then (A,rA,<r,b>) is also completely random.So (A,rA,<r,b>+z(q/2)) is also completely random.

Since (A,b) looks random (based on the hardness of LWE),so does (A,rA,<r,b>+z(q/2)) for any z

Decryption

As

+ e = b

r

A

r

b+ z(q/2)

Have (u,v) where u=rA and v=<r,b>+z(q/2)

Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0If <u,s> - v is closer to q/2 than to 0, then decrypt to 1

<u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| <

m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

n

m

Lattices in Practice

Lattices have some great features

Very strong security proofs

The schemes are fairly simple

Relatively efficient

But there is a major drawback

Schemes have very large keys

Hash Function

a1

a2

am

Input: Bit-string z1...z

m in {0,1}:

z1

z2

zm

+ + … +

Description of the hash function: a1,...,a

m in Z

qn

h(z1...z

m) =

Sample parameters:n=64, m=1024, p=257

Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits

Public-Key Cryptosystem

(Textbook) RSA:

Key-size: ≈ 2048 bits

Ciphertext length (2048 bit message): ≈ 2048 bits

LWE-based scheme:

Key-size: ≈ 600,000 bits

Ciphertext length (2048 bit message): ≈ 40,000 bits

Source of Inefficiency

4

7

2

1

11

7

9

3

6

1

12

14

8

2

5

9

10

13

1

7

7

0

2

1

6

3

5

11

14

0

9

1

n

n(log n)

A z

0

1

1

0

1

0

0

1

h(z) =

Require O(n2) storageComputing the function takes O(n2) time

A More Efficient Idea

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

n

n(log n)

A z

Now A only requires n(log n) storage

Az can be computed faster as well

0

1

1

0

1

0

0

1


4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

A4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

1

0

0

1

0

1

1

0

+

(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)

in Zp[x]/(xn-1)

z

0

1

1

0

1

0

0

1

=

Interlude: What is Zp[x]/(xn-1)?

Z = integers

Zp=integers modulo p

Zp[x] = polynomials with coefficients in

Zp

Example if p=3: 1+x, 2+x2+x1001

Zp[x]/(xn-1)=polynomials of degree at

most n-1, with coefficients in Zp

Example if p=3 and n=4: 1+x, 2+x+x2

Operations in Zp[x]/(xn-1)? Addition:

Addition of polynomials modulo p

Example if p=3 and n=4:

(1+x2) + (2+x2+x3)=2x2+x3

Multiplication:

Polynomial multiplication modulo p and xn-1

Example if p=3 and n=4:

(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3

= g0f+g1fx+g2fx2+g3fx

3

= f(g0+g1x+g2x2+g3x

3)

= fg

Multiplication in Zp[x]/(xn-1) as a

Matrix/Vector ProductHave polynomials f and g=g0+g1x+g2x

2+...gn-1xn-1

f fx fx2 fx3

g0

g1

g2

g3


4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

A4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

1

0

0

1

0

1

1

0

+

(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

Multiplication in Zp[x]/(xn-1) takes time O(nlogn)

using FFT

z

0

1

1

0

1

0

0

1

=

Great, a Better Hash Function!Sample parameters:n=64, m=1024, p=257

Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits

“New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

But Is it Hard to Find Collisions?

n

n(log n)

A z4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

NO!

Finding Collisions

D Rh

D'R'h

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

+ =

How many possibilities are there for this vector?

in Zq

n

qn

There is a way to pick the z vector “smarter” so that the number of possibilities is just q

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

0

0

0

0

=

0

0

0

0

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

1

1

1

1

=

14

14

14

14

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

+ = in Zq

n

Set each block of z to either all 0's or all 1'sHow many possibilities for z are there?

2# of blocks

Need 2# of blocks > q to guarantee a collision of this form

# of blocks > log q

Collision-Resistant Hash Function

a1

a2

am in Z

qn



z1

z2

zm

+ + … + = 0

Given: Vectors a1,...,a

m in Z

qn

A=(a1,...,am) Define hA: {0,1}m → Zqn where

hA(z1,...,zm)=a1z1 + … + amzm

Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size

= qn) Set m>nlog q to get compression

# of blocks = m/n > logq

But …

n

n(log n)

A z

Theorem: For a random r in Zqn, it is hard to find a z

with coefficients in {-1,0,1} such that Az mod q=r

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

12

3

7

4

=

= r

Lattice Problemsfor “Cyclic Lattices”

One-Way Functions

Worst-Case

Average-Case

Cyclic Lattices

-432-1 63-2-7

A set L in Zn is a cyclic lattice if:

1.) For all v,w in L, v+w is also in L

+ = 260-8

2.) For all v in L, -v is also in L

-432-1 4-3-21

3.) For all v in L, a cyclic shift of v is also in L

-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

Cyclic Lattices=Ideals in Z[x]/(xn-1)

-432-1 63-2-7

A set L in Zn is a cyclic lattice if:


+ = 260-8


-432-1 4-3-21


-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

(xn-1)-Ideal Lattices

-432-1 63-2-7

A set L in Zn is an (xn-1)-ideal lattice if:


+ = 260-8


-432-1 4-3-21


-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

What About Hash Functions?

n

n(log n)

A z4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

Not Collision-Resistant

A “Simple” Modification

n

n(log n)

A z

Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

4

7

2

1

-1

4

7

2

-2

-1

4

7

-7

-2

-1

4

10

13

1

7

-7

10

13

1

-1

-7

10

13

-13

-1

-7

10

Lattice Problems for

(xn+1)-Ideal Latices


Problem (SIS)




(Minicrypt)

Worst-Case

Average-Case

(xn+1)-Ideal Lattices

A set L in Zn is an (xn+1)-ideal lattice if:

3.) For all v in L, its “negative rotation” is also in L

321-4

-432-1 -432-1 -432-1 -432-1 -432-1 4321

-432-1 -432-1 21-4-3

-432-1 -432-1 -432-1 -432-1 -432-1 1-4-3-2

-432-1 63-2-7


+ = 260-8


-432-1 4-3-21

So How Efficient are the Ideal Lattice Constructions?

Collision-resistant hash functions

More efficient than any other provably-secure hash function

Almost as efficient as the ones used in practice

Can only prove collision-resistance

Signature schemes

Theoretically, very efficient

In practice, efficient

Key length ≈ 20,000 bits

Signature length ≈ 50,000 bits

Future Directions

Build more primitives (for ideas, go to

http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices

http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

Future Directions

Build more primitives (for inspiration, go to

http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices Build “cryptomania” primitives on the same assumption

as “minicrypt” primitives Build practical primitives using ideal lattices Determine the hardness of ideal lattice problems

http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html

References (General Lattices) Worst-Case to Average-Case reductions:

To SIS [Ajt96 ,..., MicReg04]

To LWE [Reg05]

Minicrypt Constructions

Hash functions [Ajt96 ,..., MicReg04]

ID Schemes [MicVad03, Lyu08, KawTanXag08]

Signature Schemes [LyuMic08, GenPeiVai08]

Cryptomania Constructions

PKE [AjtDwo97,Reg03,Reg05,GenPeiVai08,PeiWat08,Pei09]

OT [PeiVai08]

Reductions Between Lattice Problems (relevant to this talk)

[Ban93,Reg05,LyuMic09]

References (Ideal Lattices) Worst-Case to Average-Case Reductions

[Mic02,PeiRos06,LyuMic06]

Hash Functions

[PeiRos06,LyuMic06,LyuMicPeiRos08]

ID schemes

[Lyu09]

Signature Schemes

[LyuMic08,Lyu09,SteSteTanXag09]

PKE

[Gen09,SteSteTanXag09]

Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009.

Documents

Transcript of Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009.