Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst •...
Transcript of Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst •...
![Page 1: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/1.jpg)
Lattice-Based Cryptography: A Primer
Rishiraj Bhattacharyya
![Page 2: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/2.jpg)
Symmetric Key Cryptography
Public Key Cryptography
![Page 3: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/3.jpg)
Symmetric Key Crypto:
1. One Time Pad: “r” is the key.
2. Stream Cipher: Both Alice and Bob generate “r” from the key using a pseudorandom generator
![Page 4: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/4.jpg)
Send “r” securely using Public Key of Bob
Semantic Security: r is pseudorandom, given (pk,c’,c)
![Page 5: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/5.jpg)
Public Key Crypto
1.
Example
Bob recovers r using trapdoor
pk sk
![Page 6: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/6.jpg)
Public Key Crypto
1. 2.
Example
![Page 7: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/7.jpg)
Public Key Crypto
1. 2.
Example Example
Requires Trapdoor Functions like RSA Requires one way functions and Key Exchange
![Page 8: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/8.jpg)
Why Post Quantum• Crypto Motto: Ready for the worst
• Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems
• Shor, Peter W. (1997), "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer", SIAM J. Comput. 26 (5): 1484–1509, arXiv:quant-ph/9508027v2
![Page 9: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/9.jpg)
Alternatives: Code Based and Lattice Based
• Similar Basic Idea:
• Error Correcting random code
• Solving approximate linear equations
• Fast Implementation: Linear operations over a Finite Field.
![Page 10: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/10.jpg)
1. A short review of Cryptographic Design
2. Lattice based Encryptions
3. Lattice based Signatures
4. Available Implementations
Agenda
![Page 11: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/11.jpg)
Lattice• Discrete Subgroup of
•
Rn
L =nX
i=1
↵ivi,↵i 2 Z
![Page 12: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/12.jpg)
1/1
Lattice has Multiple Basis
![Page 13: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/13.jpg)
Classical Hard Problems
• Shortest (linearly independent) vector problem
• Closest Vector Problem
![Page 14: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/14.jpg)
2/2
Short Integer Solutions
� Solving linear equation is easy.� What about additional constraints?� z = {−1, 0, 1}n
![Page 15: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/15.jpg)
3/3
Dual Approach: Learning with Error
� How about correcting errors?� Find solution of approximate linear equations?� A ← Zm×n
q
� s ← Znq , e ← χn
� b = As+ e
QuestionDistinguish b from uniform.
![Page 16: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/16.jpg)
4/3
RoadMap
� Encryption Schemes� Regev’s Encryption and its dual� Subset Sum Encryption� Regev’s Encryption in Ring-LWE� Stehle-Steinfield Encryption� NTRU.
![Page 17: Lattice-Based Cryptography: A Primer · Why Post Quantum • Crypto Motto: Ready for the worst • Efficient Quantum Algorithm for Factorisation and Discrete Logarithm Problems •](https://reader033.fdocuments.in/reader033/viewer/2022041922/5e6c5a18eb22e63a866351c7/html5/thumbnails/17.jpg)
4/3
RoadMap
� Encryption Schemes� Regev’s Encryption and its dual� Subset Sum Encryption� Regev’s Encryption in Ring-LWE� Stehle-Steinfield Encryption� NTRU.
� Signature Schemes� Lattice Trapdoor and Hash and Sign� Fiat-Shamir with Lattices.