Lattice-based Cryptography
36
Lattice-based Lattice-based Cryptography Cryptography Oded Regev Oded Regev Tel-Aviv University Tel-Aviv University CRYPTO 2006, Santa Barbara, C CRYPTO 2006, Santa Barbara, C
description
Lattice-based Cryptography. Oded Regev Tel-Aviv University. CRYPTO 2006, Santa Barbara, CA. Introduction to lattices Survey of lattice-based cryptography Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function - PowerPoint PPT Presentation
Transcript of Lattice-based Cryptography
Lattice-based Lattice-based CryptographyCryptographyOded RegevOded Regev
Tel-Aviv UniversityTel-Aviv University
CRYPTO 2006, Santa Barbara, CACRYPTO 2006, Santa Barbara, CA
OutlineOutline• Introduction to latticesIntroduction to lattices•Survey of lattice-based cryptographySurvey of lattice-based cryptography
•Hash functions Hash functions [Ajtai96,…][Ajtai96,…] •Public-key cryptography Public-key cryptography
[AjtaiDwork97,…][AjtaiDwork97,…] •Construction of a simple lattice-based Construction of a simple lattice-based
hash functionhash function•Open ProblemsOpen Problems
• For any vectors vFor any vectors v11,…,v,…,vnn in in RRnn, the lattice spanned by , the lattice spanned by vv11,…,v,…,vnn is the set of points is the set of points
L={aL={a11vv11+…+a+…+annvvnn| a| ai i integers}integers}
• These vectors form a These vectors form a basisbasis of L of L
LatticeLattice
v1 v2
0
2v1v1+v2 2v2
2v2-v1
2v2-2v1
• Geometric objects with rich structure• Investigated since 1800 by Lagrange, Gauss,
Hermite, and Minkowski• More recent developments:
– LLL algorithm: finds ‘somewhat short’ vectors in lattices [LenstraLenstraLovàsz82]. Applications include:• Factoring polynomials over the rationals• Solving integer programs in fixed dimension• Cryptanalysis:
– Breaking knapsack cryptosystems [LagariasOdlyzko85]– Breaking special cases of RSA [Coppersmith01]– And more…
– Ajtai’s lattice-based cryptographic construction [Ajtai96]
History of Lattices
• SVP:SVP: given a lattice, find a shortest (nonzero) vector given a lattice, find a shortest (nonzero) vector --approximate SVP:approximate SVP: given a lattice, find a vector of given a lattice, find a vector of
length at most length at most times the shortest times the shortest• Other lattice problems: SIVP, SBP, etc.Other lattice problems: SIVP, SBP, etc.
Shortest Vector Problem Shortest Vector Problem (SVP)(SVP)
0
v2
v1
3v2-4v1
• We’ll be interested in -approximate SVP for =poly(n)– Best known algorithm runs in time 2n
[AjtaiKumarSivakumar01]– On the other hand, not believed to be NP-
hard [GoldreichGoldwasser00, AharonovR04]• Best poly-time algorithm solves for
=2nloglogn/logn [LLL82, Schnorr85]• NP-hard for sub-polynomial [Khot04]
Lattice Problems Seem Hard
2n loglogn/logn
NP-hard P
2^(log1-n) nn
NP∩coNP crypto
11
Survey of Survey of Lattice-based CryptographyLattice-based Cryptography
• ‘Standard’ cryptography Based on hardness
of factoring, discrete log, etc.
Based on an average-case assumption
Broken by quantum algorithms
Require modular exponentiation etc.
Why use lattice-based cryptography
• Lattice-based Lattice-based cryptography cryptography Based on hardness Based on hardness
of lattice problemsof lattice problems
Based on a worst-Based on a worst-case assumptioncase assumption
(Still) Not broken (Still) Not broken by quantum by quantum algorithmsalgorithms
Very simple Very simple computationscomputations
• A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,
xy s.t. f(x)=f(y)
• First lattice-based CRHF given in [Ajtai96] – Based on the worst-case hardness of
n8-approximate SVP• Security improved in subsequent works
[GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04]
• Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04]
Collision-Resistant Hash Functions
The Modular Subset-Sum Function• Let N be a big integer, and m=2logLet N be a big integer, and m=2log22NN• Choose aChoose a11,…,a,…,amm uniformly in {0,…,N-1}. uniformly in {0,…,N-1}.
Then define fThen define faa11,…,a,…,amm:{0,1}:{0,1}mm{0,…,N-1} by{0,…,N-1} by
ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii mod N mod N
• Since m>logSince m>log22N, (many) collisions existN, (many) collisions exist• We will later see a proof of security:We will later see a proof of security:
• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen f, even with probability nchosen f, even with probability n-100-100 implies a implies a solution to solution to anyany instance of approximate-SVP instance of approximate-SVP
• In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function
• More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06]– Only O(n) bits needed to specify a hash
function– Based on worst-case hardness of
approximate-SVP on a restricted class of lattices known as cyclic lattices
Recent Work: More Efficient CRHFs
•A PKC allows parties to communicate securely without having to agree on a secret key beforehand
• First lattice-based PKC presented in [AjtaiDwork97] – Some improvements [GoldreichGoldwasserHalevi97,
R03]• Security based on the worst-case hardness of a
special case of SVP known as unique-SVP
•Some disadvantages: •Based only on unique-SVP•Impractical (think of n as100):
•Public key size O(n4)•Encryption expands by O(n2)
Public-key Cryptosystem
A Recent Public-key A Recent Public-key Cryptosystem Cryptosystem [Ajtai05][Ajtai05]
• Main advantages: Main advantages:
•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)
• Some disadvantages: Some disadvantages: •Not based on lattice problemsNot based on lattice problems•No worst-case hardnessNo worst-case hardness
Another Recent Public-key Another Recent Public-key CryptosystemCryptosystem [R05][R05]
• Main advantages: Main advantages:
•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)
•Worst-case hardnessWorst-case hardness•Based on the main lattice problems (SVP, Based on the main lattice problems (SVP,
SIVP)SIVP)
• One disadvantage:One disadvantage:• Breaking the cryptosystem implies an Breaking the cryptosystem implies an
efficient efficient quantumquantum algorithm for lattices algorithm for lattices
Example of a lattice-based PKC Example of a lattice-based PKC [R05][R05]• Everything modulo 4Everything modulo 4
• Private key: 4 random numbersPrivate key: 4 random numbers11 22 00 33
• Public key: a 6x4 matrix and approximate inner Public key: a 6x4 matrix and approximate inner productproduct
• Encrypt the bit 0:Encrypt the bit 0:
• Encrypt the bit 1:Encrypt the bit 1:
2·1 + 0·2 + 1·0 + 2·3 ≈ 11·1 + 2·2 + 2·0 + 3·3 ≈ 20·1 + 2·2 + 0·0 + 3·3 ≈ 11·1 + 2·2 + 0·0 + 2·3 ≈ 00·1 + 3·2 + 1·0 + 3·3 ≈ 33·1 + 3·2 + 0·0 + 2·3 ≈ 2
2 0 1 21 2 2 30 2 0 31 2 0 20 3 1 33 3 0 2
2·? + 0·? + 1·? + 2·? ≈ 11·? + 2·? + 2·? + 3·? ≈ 20·? + 2·? + 0·? + 3·? ≈ 11·? + 2·? + 0·? + 2·? ≈ 00·? + 3·? + 1·? + 3·? ≈ 33·? + 3·? + 0·? + 2·? ≈ 2
3·? + 2·? + 1·? + 0·? ≈ 3
2·1 + 0·2 + 1·0 + 2·3 = 01·1 + 2·2 + 2·0 + 3·3 = 20·1 + 2·2 + 0·0 + 3·3 = 11·1 + 2·2 + 0·0 + 2·3 = 30·1 + 3·2 + 1·0 + 3·3 = 33·1 + 3·2 + 0·0 + 2·3 = 3
3·? + 2·? + 1·? + 0·? ≈ 1
Construction of a Lattice-based Construction of a Lattice-based Collision Resistant Hash Collision Resistant Hash
FunctionFunction
Blurring a PictureBlurring a Picture
Blurring a LatticeBlurring a Lattice
Blurring a LatticeBlurring a Lattice
Blurring a LatticeBlurring a Lattice
Blurring a LatticeBlurring a Lattice
Blurring a LatticeBlurring a Lattice
The Smoothing Radius• Define the Define the smoothing radiussmoothing radius ==(L)>0 as (L)>0 as
the smallest real such that the smallest real such that adding adding Gaussian blur of radius Gaussian blur of radius to L yields an to L yields an essentially uniform distributionessentially uniform distribution
• The radius The radius was analyzed in was analyzed in [MicciancioR04][MicciancioR04] based on Fourier analysis based on Fourier analysis and and [Banaszczyk93][Banaszczyk93]• It was shown that It was shown that is ‘small’ in the is ‘small’ in the
sense that finding vectors of length sense that finding vectors of length poly(n)poly(n)(L) (L) implies solution to implies solution to poly(n)-poly(n)-approximate approximate SVPSVP
An Alternative Definition•Define h:RDefine h:Rnn[0,1)[0,1)nn that maps any x= that maps any x=ΣΣiivvii toto
h(x)=(h(x)=(11,…,,…,nn) mod 1.) mod 1.• E.g., any xE.g., any xL has h(x)=(0,…,0)L has h(x)=(0,…,0)
•Then the alternative way to define Then the alternative way to define is as:is as:• The smallest real such that if x is The smallest real such that if x is
sampled from a Gaussian distribution sampled from a Gaussian distribution centered around 0 of radius centered around 0 of radius , then , then h(x) is ‘essentially’ uniform on [0,1)h(x) is ‘essentially’ uniform on [0,1)nn
00xx11
xx22
xx33
xx44
((0,00,0)) (1,0)(1,0)
(0,1)(0,1) (1,1)(1,1)
h(x3)
RRnn [0,1)[0,1)nn
h(x2)
h(x4)h(x1)
Our CRHF• Fix the dimension n, let q=2Fix the dimension n, let q=22n2n, and , and
m=4nm=4n22
• Choose aChoose a11,…,a,…,amm uniformly in Z uniformly in Zqqnn. Then . Then
define fdefine faa11,…,a,…,amm:{0,1}:{0,1}mm{0,1}{0,1}nlognlog22qq by by
ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii (mod q) (mod q)
• Since m>nlogSince m>nlog22q, (many) collisions existq, (many) collisions exist• We now prove security by showing that:We now prove security by showing that:
• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen fchosen faa11,…,a,…,amm
, even with probability n, even with probability n-100-100, , implies a solution to implies a solution to anyany instance of poly(n)- instance of poly(n)-approximate SVP approximate SVP
Security Proof• Assume there exists an algorithm Assume there exists an algorithm
CollisionFindCollisionFind that given that given aa11,…,a,…,amm chosen chosen uniformly in uniformly in ZZqq
nn, finds with some non-, finds with some non-negligible probability bnegligible probability b11,…,b,…,bmm{-1,0,1} {-1,0,1} (not all zero) such that (not all zero) such that
ΣΣbbiiaai i = 0 (mod q).= 0 (mod q).• This implies an algorithm This implies an algorithm CollisionFind’CollisionFind’
that given that given aa11,…,a,…,amm chosen uniformly from chosen uniformly from [0,1)[0,1)nn, finds with some , finds with some non-negligible non-negligible probability bprobability b11,…,b,…,bmm{-1,0,1} (not all {-1,0,1} (not all zero) such that zero) such that
ΣΣbbiiaai i (0,…,0) (mod 1) (0,…,0) (mod 1)(up to (up to m/q in each coordinate)m/q in each coordinate)
CollisionFind’
((0,00,0)) (1,0)(1,0)
(0,1)(0,1) (1,1)(1,1)
a1
a2a3
a4
a5
Output: “aOutput: “a11+a+a22-a-a44+a+a55(0,…,0) (mod 1)”(0,…,0) (mod 1)”
a6
Security Proof• Our goal is to show that using Our goal is to show that using
CollisionFind’CollisionFind’ we can find a nonzero we can find a nonzero vector of length at most poly(n)vector of length at most poly(n)(L) (L) in in anyany given lattice L given lattice L
• So let L be a given lattice with basis vSo let L be a given lattice with basis v11,,…,v…,vnn
• By using the LLL algorithm, we can By using the LLL algorithm, we can assume that vassume that v11,…,v,…,vnn are not are not ‘unreasonably’ long: say, of length at ‘unreasonably’ long: say, of length at most 2most 2nn(L)(L)
Security Proof – Main Procedure• Sample m vectors xSample m vectors x11,…,x,…,xmm from the from the
Gaussian distribution around 0 of radius Gaussian distribution around 0 of radius
• Compute aCompute a11:=h(x:=h(x11),…,a),…,amm:=h(x:=h(xmm))• Each aEach aii is uniformly distributed in [0,1) is uniformly distributed in [0,1)nn
• Apply Apply CollisionFind’CollisionFind’ to obtain to obtain bb11,…,b,…,bm m {-1, 0,1} such that {-1, 0,1} such that
ΣΣbbiih(xh(xii)) ( (m/qm/q,…,,…,m/qm/q) (mod 1)) (mod 1)• Define y=Define y=ΣΣbbiixxii. Then,. Then,
• y is y is shortshort (of length (of length mm))• y is y is extremely close to a lattice pointextremely close to a lattice point
since h(y)=since h(y)=ΣΣbbiih(xh(xii))((m/qm/q,…,,…,m/qm/q) ) (mod 1)(mod 1)
Security Proof – Main Procedure• Write y=Write y=ΣΣiivvii for some reals for some reals 11,…,,…,nn
• So each So each ii is within is within m/q of an integerm/q of an integer• Define the lattice vector y’=Define the lattice vector y’=ΣΣiivvii• The distanceThe distance
• So y’ is a So y’ is a lattice vectorlattice vector of length at most of length at most (m+1)(m+1)
00
xx11xx22
xx33
xx44
CollisionFind’CollisionFind’(a(a11,a,a22,a,a33,a,a44))“-a“-a22-a-a33+a+a440 0 (mod 1)”(mod 1)”
yyY’Y’
Security Proof – One Last Issue
• How to guarantee that y’ is How to guarantee that y’ is nonzerononzero??• Maybe Maybe CollisionFind’ CollisionFind’ acts in some acts in some
‘malicious’ way, trying to make y’ zero‘malicious’ way, trying to make y’ zero• It can be shown that aIt can be shown that aii does not contain does not contain
enough information about xenough information about xii• In other words, conditioned on any fixed In other words, conditioned on any fixed
aaii, x, xii still has enough randomness to still has enough randomness to guarantee that y’ is nonzero with very guarantee that y’ is nonzero with very high probabilityhigh probability
All lattices look the same after All lattices look the same after adding some small amount of blur adding some small amount of blur
Security Proof – Conclusion• By a single call to the collision finder, we By a single call to the collision finder, we
can find in can find in anyany lattice, a nonzero vector lattice, a nonzero vector of length at most (m+1)of length at most (m+1) with some non- with some non-negligible probabilitynegligible probability
• Obviously, by repeating this procedure Obviously, by repeating this procedure we can obtain such a vector with very we can obtain such a vector with very high probabilityhigh probability
• The essential idea:The essential idea:
Open ProblemsOpen Problems•CryptanalysisCryptanalysis
•Current attacks limited to low Current attacks limited to low dimension dimension [NguyenStern98][NguyenStern98]
•New systems New systems [Ajtai05,R05][Ajtai05,R05] are efficient are efficient and can be easily used with dimension and can be easily used with dimension 100+100+
• Improved cryptosystemsImproved cryptosystems•Construct the ‘ultimate’ lattice-based Construct the ‘ultimate’ lattice-based
cryptosystem? (based on SVP, cryptosystem? (based on SVP, efficient)efficient)
•Construct more efficient schemes Construct more efficient schemes based on special classes of lattices?based on special classes of lattices?
Open ProblemsOpen Problems•Comparison with number theoretic Comparison with number theoretic
cryptographycryptography•E.g., can one factor integers using an E.g., can one factor integers using an
oracle for n-approximate SVP?oracle for n-approximate SVP?•Signature schemesSignature schemes
•Can one construct provably secure Can one construct provably secure lattice-based signature schemes?lattice-based signature schemes?
•Security against chosen-ciphertext Security against chosen-ciphertext attacksattacks•Known lattice-based cryptosystems are Known lattice-based cryptosystems are
not secure against CCAnot secure against CCA
