Vadim Winebrand Faculty of Exact Sciences School of Physics and Astronomy Tel-Aviv University
Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009.
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
3
Transcript of Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009.
Introduction to
Lattice-Based Cryptography
Vadim LyubashevskyTel-Aviv University
September 9, 2009
Cryptographic Hardness Assumptions
Factoring is hard
Discrete Log Problem is hard
Diffie-Hellman problem is hard
Decisional Diffie-Hellman problem is hard
Problems involving Elliptic Curves are hard
Many assumptions
Why Do We Need More Assumptions?
Number theoretic functions are rather slow
Factoring, Discrete Log, Elliptic curves are “of the same flavor”
Quantum computers break all number theoretic assumptions
Lattice-Based Cryptography
Seemingly very different assumptions from factoring, discrete log, elliptic curves
Simple descriptions and implementations
Very parallelizable
Resists quantum attacks (we think)
Security based on worst-case problems
Average-Case Assumptions vs.Worst-Case Assumptions
Example: Want to base a scheme on factoring
Need to generate a “hard-to-factor” N
How?
Need a “hard distribution”
Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Lattices
Lattice: A discrete additive subgroup of Rn
Lattices
Basis: A set of linearly independent vectors that generate the lattice.
Lattices
Basis: A set of linearly independent vectors that generate the lattice.
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Approximate Shortest Independent Vector Problem
Find n pretty short linearly independent vectors
Bounded Distance Decoding(BDD)
Given a target vector that's close to the lattice, find the nearest lattice vector
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
BDD
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
SIVPquantum
Small Integer Solution Problem
a1
a2
am in Z
qn
Find: non-trivial solution z1,...,z
m in {-1,0,1} such that:
z1
z2
zm
+ + … + = 0
Given: Random vectors a1,...,a
m in Z
qn
Observations:If size of zi is not restricted, then the problem is
trivialImmediately implies a collision-resistant hash function
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Collision-Resistant Hash Function
a1
a2
am in Z
qn
Find: non-trivial solution z1,...,z
m in {-1,0,1} such that:
z1
z2
zm
+ + … + = 0
Given: Random vectors a1,...,a
m in Z
qn
A=(a1,...,am) Define hA: {0,1}m → Zqn where
hA(z1,...,zm)=a1z1 + … + amzm
Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size
= qn) Set m>nlog q to get compression
Collision: a1z1 + … + amzm = a1y1 + … + amym
So, a1(z1-y1) + … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
BDD
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
SIVP
For Any Lattice ...
Consider the distribution obtained by:1. Pick a uniformly random lattice point2. Sample from a Gaussian distribution centered at
the lattice point
One-Dimensional Gaussian Distribution
Two-Dimensional Gaussian Distribution
Image courtesy of wikipedia
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the
longest vector in SIVP solution
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction
0 1 2 021 1 2 0 1
01
2
01
20
12
Important: All lattice points have label (0,0) and
All points labeled (0,0) are lattice points (0n in n dimensional lattices)
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice point
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
All the samples are uniform in Zq
n
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
0 1 2 021 1 2 0 1
01
2
01
20
12
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
= si
= vi s1z1+...+smzm is a lattice vector
(v1+r1)z1+...+(vm+rm)zm is a lattice vector
(v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice
vectorSo r1z1+...+rmzm is a lattice vector
vi + ri =
si
0 1 2 021 1 2 0 1
01
2
01
20
12
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
= si
= vi
So r1z1+...+rmzm is a lattice vector
ri are short vectors, zi are in {-1,0,1}
So r1z1+...+rmzm is a short lattice vectorvi + ri =
si
Some Technicalities You can’t sample a “uniformly random” lattice point
In the proofs, we work with Rn / L rather than Rn
So you don't need to sample a random point lattice point
What if r1z1+...+rmzm is 0?
Can show that with high probability it isn't
Given an si, there are multiple possible ri
• Gaussian sampling doesn’t give us points on the grid
You can round to a grid point
Must be careful to bound the “rounding distance”
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Learning With Errors Problem
Oracle 1
a1,
b1=<a1,s>+e1
a2,
b2=<a2,s>+e2
…s is chosen randomly in Zq
n
ai are chosen randomly from
Zqn
ei are “small” elements in Zq
Oracle 2
a1, b1
a2, b2
…
ai are chosen randomly from
Zqn
bi are chosen randomly from
Zq
Distinguish between these two distributions:
Learning With Errors Problem
. . .
a1
a2
am
s
+e
=b
ai , s are in Zqn
e is in Zqm All coefficients of e are < sqrt(q)
Learning With Errors Problem
A
s
+e
=b
A is in Zqm x n s is in Zq
n e is in Zqm
All coefficients of e are < sqrt(q)LWE problem: Distinguish (A,As+e) from (A,b) where b is random
Public Key Encryption Based on LWE
A
s
+ e = b
Secret Key: s in Zqn
Public Key: A in Zqm x n , b=As+e
each coefficient of e is < sqrt(q)
r
A
r
b
Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2))
+ z(q/2)
Proof of Semantic Security
As
+ e = b
r
A
r
b + z(q/2)
If b is random, then (A,rA,<r,b>) is also completely random.So (A,rA,<r,b>+z(q/2)) is also completely random.
Since (A,b) looks random (based on the hardness of LWE),so does (A,rA,<r,b>+z(q/2)) for any z
Decryption
As
+ e = b
r
A
r
b+ z(q/2)
Have (u,v) where u=rA and v=<r,b>+z(q/2)
Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0If <u,s> - v is closer to q/2 than to 0, then decrypt to 1
<u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| <
m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
n
m
Lattices in Practice
Lattices have some great features
Very strong security proofs
The schemes are fairly simple
Relatively efficient
But there is a major drawback
Schemes have very large keys
Hash Function
a1
a2
am
Input: Bit-string z1...z
m in {0,1}:
z1
z2
zm
+ + … +
Description of the hash function: a1,...,a
m in Z
qn
h(z1...z
m) =
Sample parameters:n=64, m=1024, p=257
Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem
(Textbook) RSA:
Key-size: ≈ 2048 bits
Ciphertext length (2048 bit message): ≈ 2048 bits
LWE-based scheme:
Key-size: ≈ 600,000 bits
Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency
4
7
2
1
11
7
9
3
6
1
12
14
8
2
5
9
10
13
1
7
7
0
2
1
6
3
5
11
14
0
9
1
n
n(log n)
A z
0
1
1
0
1
0
0
1
h(z) =
Require O(n2) storageComputing the function takes O(n2) time
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
n
n(log n)
A z
Now A only requires n(log n) storage
Az can be computed faster as well
0
1
1
0
1
0
0
1
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
A4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
1
0
0
1
0
1
1
0
+
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
in Zp[x]/(xn-1)
z
0
1
1
0
1
0
0
1
=
Interlude: What is Zp[x]/(xn-1)?
Z = integers
Zp=integers modulo p
Zp[x] = polynomials with coefficients in
Zp
Example if p=3: 1+x, 2+x2+x1001
Zp[x]/(xn-1)=polynomials of degree at
most n-1, with coefficients in Zp
Example if p=3 and n=4: 1+x, 2+x+x2
Operations in Zp[x]/(xn-1)? Addition:
Addition of polynomials modulo p
Example if p=3 and n=4:
(1+x2) + (2+x2+x3)=2x2+x3
Multiplication:
Polynomial multiplication modulo p and xn-1
Example if p=3 and n=4:
(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3
= g0f+g1fx+g2fx2+g3fx
3
= f(g0+g1x+g2x2+g3x
3)
= fg
Multiplication in Zp[x]/(xn-1) as a
Matrix/Vector ProductHave polynomials f and g=g0+g1x+g2x
2+...gn-1xn-1
f fx fx2 fx3
g0
g1
g2
g3
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
A4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
1
0
0
1
0
1
1
0
+
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Multiplication in Zp[x]/(xn-1) takes time O(nlogn)
using FFT
z
0
1
1
0
1
0
0
1
=
Great, a Better Hash Function!Sample parameters:n=64, m=1024, p=257
Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits
“New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!
But Is it Hard to Find Collisions?
n
n(log n)
A z4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
NO!
Finding Collisions
D Rh
D'R'h
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
+ =
How many possibilities are there for this vector?
in Zq
n
qn
There is a way to pick the z vector “smarter” so that the number of possibilities is just q
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
0
0
0
0
=
0
0
0
0
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
1
1
1
1
=
14
14
14
14
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
+ = in Zq
n
Set each block of z to either all 0's or all 1'sHow many possibilities for z are there?
2# of blocks
Need 2# of blocks > q to guarantee a collision of this form
# of blocks > log q
Collision-Resistant Hash Function
a1
a2
am in Z
qn
Find: non-trivial solution z1,...,z
m in {-1,0,1} such that:
z1
z2
zm
+ + … + = 0
Given: Vectors a1,...,a
m in Z
qn
A=(a1,...,am) Define hA: {0,1}m → Zqn where
hA(z1,...,zm)=a1z1 + … + amzm
Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size
= qn) Set m>nlog q to get compression
# of blocks = m/n > logq
But …
n
n(log n)
A z
Theorem: For a random r in Zqn, it is hard to find a z
with coefficients in {-1,0,1} such that Az mod q=r
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
12
3
7
4
=
= r
Lattice Problemsfor “Cyclic Lattices”
One-Way Functions
Worst-Case
Average-Case
Cyclic Lattices
-432-1 63-2-7
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
Cyclic Lattices=Ideals in Z[x]/(xn-1)
-432-1 63-2-7
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
(xn-1)-Ideal Lattices
-432-1 63-2-7
A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
What About Hash Functions?
n
n(log n)
A z4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
Not Collision-Resistant
A “Simple” Modification
n
n(log n)
A z
Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0
4
7
2
1
-1
4
7
2
-2
-1
4
7
-7
-2
-1
4
10
13
1
7
-7
10
13
1
-1
-7
10
13
-13
-1
-7
10
Lattice Problems for
(xn+1)-Ideal Latices
Small Integer Solution
Problem (SIS)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Worst-Case
Average-Case
(xn+1)-Ideal Lattices
A set L in Zn is an (xn+1)-ideal lattice if:
3.) For all v in L, its “negative rotation” is also in L
321-4
-432-1 -432-1 -432-1 -432-1 -432-1 4321
-432-1 -432-1 21-4-3
-432-1 -432-1 -432-1 -432-1 -432-1 1-4-3-2
-432-1 63-2-7
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
So How Efficient are the Ideal Lattice Constructions?
Collision-resistant hash functions
More efficient than any other provably-secure hash function
Almost as efficient as the ones used in practice
Can only prove collision-resistance
Signature schemes
Theoretically, very efficient
In practice, efficient
Key length ≈ 20,000 bits
Signature length ≈ 50,000 bits
Future Directions
Build more primitives (for ideas, go to
http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Future Directions
Build more primitives (for inspiration, go to
http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices Build “cryptomania” primitives on the same assumption
as “minicrypt” primitives Build practical primitives using ideal lattices Determine the hardness of ideal lattice problems
References (General Lattices) Worst-Case to Average-Case reductions:
To SIS [Ajt96 ,..., MicReg04]
To LWE [Reg05]
Minicrypt Constructions
Hash functions [Ajt96 ,..., MicReg04]
ID Schemes [MicVad03, Lyu08, KawTanXag08]
Signature Schemes [LyuMic08, GenPeiVai08]
Cryptomania Constructions
PKE [AjtDwo97,Reg03,Reg05,GenPeiVai08,PeiWat08,Pei09]
OT [PeiVai08]
Reductions Between Lattice Problems (relevant to this talk)
[Ban93,Reg05,LyuMic09]
References (Ideal Lattices) Worst-Case to Average-Case Reductions
[Mic02,PeiRos06,LyuMic06]
Hash Functions
[PeiRos06,LyuMic06,LyuMicPeiRos08]
ID schemes
[Lyu09]
Signature Schemes
[LyuMic08,Lyu09,SteSteTanXag09]
PKE
[Gen09,SteSteTanXag09]