Lattice-based Lattice-based CryptographyCryptographyLattice-based Lattice-based CryptographyCryptography

Oded RegevOded RegevTel-Aviv UniversityTel-Aviv University

Oded RegevOded RegevTel-Aviv UniversityTel-Aviv University

OutlineOutline

• Introduction to latticesIntroduction to lattices• Survey of lattice-based cryptographySurvey of lattice-based cryptography• Hash functions Hash functions [Ajtai96,…][Ajtai96,…] • Public-key cryptography Public-key cryptography

[AjtaiDwork97,…][AjtaiDwork97,…] • Construction of a simple lattice-based Construction of a simple lattice-based

hash functionhash function• Open ProblemsOpen Problems

LatticeLattice

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

• For vectors vFor vectors v11,…,v,…,vn n in in RRnn we define the we define the latticelattice generated by them as generated by them as

L={aL={a11vv11+…+a+…+annvvn n | a| ai i integers}integers}

• We call vWe call v11,…,v,…,vn n a a basisbasis of L of L

4

• Geometric objects with rich structure• Considerable mathematical interest, starting from early

work by Gauss 1801, Hermite 1850, and Minkowski 1896. • Recently, many interesting applications in computer

science. Some highlights:– LLL algorithm - approximates the shortest vector in a lattice

[LenstraLenstraLovàsz82]. Used for:• Factoring rational polynomials,• Solving integer programs in a fixed dimension,• Breaking knapsack cryptosystems.

– Cryptanalysis:• Coppersmith’s attacks on RSA

– Cryptography:• Ajtai’s one-way functions and the average case connection [Ajtai96] • Lattice-based cryptosystems [AjtaiDwork97]

HistoryHistory

• SVP:SVP: given a lattice, find a shortest (nonzero) given a lattice, find a shortest (nonzero) vectorvector

-approximate SVP:-approximate SVP: given a lattice, find a vector given a lattice, find a vector of length at most of length at most times the shortest times the shortest

• Other lattice problems: SIVP, SBP, etc.Other lattice problems: SIVP, SBP, etc.

Shortest Vector Problem Shortest Vector Problem (SVP)(SVP)

0

v2

v1

3v2-4v1

• Conjecture: for any Conjecture: for any =poly(n), =poly(n), --approximate SVP is hardapproximate SVP is hard– Best known algorithm runs in time 2Best known algorithm runs in time 2n n

[AjtaiKumarSivakumar01][AjtaiKumarSivakumar01]

– On the other hand, not believed to be NP-On the other hand, not believed to be NP-hard hard [GoldreichGoldwasser00, AharonovR04][GoldreichGoldwasser00, AharonovR04]

• Best poly-time algorithm solves for Best poly-time algorithm solves for =2=2nloglogn/logn nloglogn/logn [LLL82, Schnorr85][LLL82, Schnorr85]

• NP-hard for sub-polynomial NP-hard for sub-polynomial [Ajtai97,Micciancio01,Khot04,HavivR07][Ajtai97,Micciancio01,Khot04,HavivR07]

Lattice Problems Seem Lattice Problems Seem HardHard

22n loglogn/lognn loglogn/logn22n loglogn/lognn loglogn/logn

NP-hardNP-hardNP-hardNP-hard PPPP

22loglog1-1-²²nn22loglog1-1-²²nn nnnnnnnn

NPNP∩∩coNPcoNPNPNP∩∩coNPcoNP cryptocryptocryptocrypto

1111

Survey of Survey of Lattice-based CryptographyLattice-based Cryptography

• ‘‘Standard’ Standard’ cryptography cryptography Not always provable…Not always provable… Security based on an Security based on an

average-case problemaverage-case problem Based on hardness of Based on hardness of

factoring, discrete log, factoring, discrete log, etc.etc.

Broken by quantum Broken by quantum algorithmsalgorithms

Require modular Require modular exponentiation etc.exponentiation etc.

Why use lattice-based Why use lattice-based cryptographycryptography

• Lattice-based Lattice-based cryptography cryptography Provably secureProvably secure Security based on a Security based on a

worst-case problemworst-case problem Based on hardness Based on hardness

of lattice problemsof lattice problems

(Still) Not broken (Still) Not broken by quantum by quantum algorithmsalgorithms

Very simple Very simple computationscomputations

Can do more thingsCan do more things

• Reduce solving a hard problem to breaking Reduce solving a hard problem to breaking the cryptographic functionthe cryptographic function

• A security proof gives a strong evidence A security proof gives a strong evidence that our cryptographic function has no that our cryptographic function has no fundamental flawsfundamental flaws

• Can also give hints as to choice of Can also give hints as to choice of parametersparameters

• Example: One-wayness of modular squaringExample: One-wayness of modular squaring– Somehow choose N=pq for two large primes p,qSomehow choose N=pq for two large primes p,q– f(x)=xf(x)=x22 mod N mod N– If we can compute square roots then we can If we can compute square roots then we can

factor Nfactor N

Provable SecurityProvable Security

• How do you pick a “good” N in RSA?How do you pick a “good” N in RSA?• Just pick p,q as random large primes and set Just pick p,q as random large primes and set

N=pq?N=pq?– (1978) Largest prime factors of p-1,q-1 should be (1978) Largest prime factors of p-1,q-1 should be

largelarge– (1981) p+1 and q+1 should have a large prime (1981) p+1 and q+1 should have a large prime

factorfactor– (1982) If the largest prime factor of p-1 and q-1 is (1982) If the largest prime factor of p-1 and q-1 is

p' and q', then p'-1 and q'-1 should have large p' and q', then p'-1 and q'-1 should have large prime factorsprime factors

– (1984) If the largest prime factor of p+1 and q+1 (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large is p' and q', then p'-1 and q'-1 should have large prime factorsprime factors

• Bottom line: currently, none of this is relevantBottom line: currently, none of this is relevant

Average-case hardness is not so Average-case hardness is not so nice…nice…

• The cryptographic function is hard The cryptographic function is hard provided almost all N are hard to factorprovided almost all N are hard to factor

Provable security based on Provable security based on average-case hardnessaverage-case hardness

NN ffNN

• The cryptographic function is hard The cryptographic function is hard provided the lattice problem is hard in provided the lattice problem is hard in the worst-casethe worst-case

• This is a much stronger security This is a much stronger security guaranteeguarantee

• It assures us that our distribution is It assures us that our distribution is correctcorrect

Provable security based on Provable security based on worst-case hardnessworst-case hardness

LL ffLL

• A CRHF is a function f:{0,1}A CRHF is a function f:{0,1}rr{0,1}{0,1}ss with with r>s such that it is hard to find collisions, r>s such that it is hard to find collisions, i.e.,i.e.,

xxy s.t. f(x)=f(y)y s.t. f(x)=f(y)

• First lattice-based CRHF given in First lattice-based CRHF given in [Ajtai96][Ajtai96] – Based on the worst-case hardness of nBased on the worst-case hardness of n88--

approximate SVPapproximate SVP• Security improved in subsequent works Security improved in subsequent works

[GoldreichGoldwasserHalevi97, CaiNerurkar97, [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04]Micciancio02, MicciancioR04]

• Current state-of-the-art is a CRHF based on Current state-of-the-art is a CRHF based on nn-approximate SVP -approximate SVP [MicciancioR04][MicciancioR04]

Collision-Resistant Hash Collision-Resistant Hash Functions Functions

The Modular Subset-Sum FunctionThe Modular Subset-Sum Function

• Let N be a big integer, and m=2logLet N be a big integer, and m=2log22NN• Choose aChoose a11,…,a,…,amm uniformly in {0,…,N-1}. uniformly in {0,…,N-1}.

Then define fThen define faa11,…,a,…,amm:{0,1}:{0,1}mm{0,…,N-1} by{0,…,N-1} by

ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii mod N mod N

• Since m>logSince m>log22N, (many) collisions existN, (many) collisions exist• We will later see a proof of security:We will later see a proof of security:

• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen f, even with probability nchosen f, even with probability n-100-100 implies a implies a solution to solution to anyany instance of approximate-SVP instance of approximate-SVP

• In the constructions above, for security In the constructions above, for security based on n-dimensional lattices, O(nbased on n-dimensional lattices, O(n22) bits ) bits are necessary to specify a hash functionare necessary to specify a hash function

• More efficient constructions were given in More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06]PeikertRosen06]– Essentially the same subset-sum function Essentially the same subset-sum function

except over a different ringexcept over a different ring– Only O(n) bits needed to specify a hash functionOnly O(n) bits needed to specify a hash function– Based on worst-case hardness of approximate-Based on worst-case hardness of approximate-

SVP on a restricted class of lattices (e.g., cyclic SVP on a restricted class of lattices (e.g., cyclic or ideal lattices)or ideal lattices)

Recent Work: More Efficient CRHFsRecent Work: More Efficient CRHFs

• A PKC allows parties to communicate securely A PKC allows parties to communicate securely without having to agree on a secret key without having to agree on a secret key beforehandbeforehand

• First lattice-based PKC presented in First lattice-based PKC presented in [AjtaiDwork97][AjtaiDwork97] – Some improvements Some improvements [GoldreichGoldwasserHalevi97, [GoldreichGoldwasserHalevi97,

R03,Peikert08]R03,Peikert08]

• Advantages:Advantages:• Worst-case hardnessWorst-case hardness• Based on lattice problems (GapSVP)Based on lattice problems (GapSVP)

• Main disadvantage: Main disadvantage: impractical! (think of n as impractical! (think of n as 100):100):

• Public key size O(nPublic key size O(n44))• Encryption expands by O(nEncryption expands by O(n22))

Public-key CryptosystemPublic-key Cryptosystem

A Recent Public-key CryptosystemA Recent Public-key Cryptosystem [R05][R05]

• Advantages:Advantages:• Worst-case hardnessWorst-case hardness• Based on the main lattice problems (SVP, Based on the main lattice problems (SVP,

SIVP)SIVP)• Main advantage: practical! (think of n as 100):Main advantage: practical! (think of n as 100):

• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)

• One (minor?) disadvantage:One (minor?) disadvantage:• Breaking the cryptosystem implies an Breaking the cryptosystem implies an

efficient efficient quantumquantum algorithm for lattices algorithm for lattices • Introduced the LWE problem (used in Introduced the LWE problem (used in [PVW08, [PVW08,

PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...]CHK09, ...]))

Example of a lattice-based PKC Example of a lattice-based PKC [R05][R05]• Everything modulo 4Everything modulo 4

• Private key: 4 random numbersPrivate key: 4 random numbers11 22 00 33

• Public key: a 6x4 matrix and approximate inner Public key: a 6x4 matrix and approximate inner productproduct

• Encrypt the bit 0:Encrypt the bit 0:

• Encrypt the bit 1:Encrypt the bit 1:

2·1 + 0·2 + 1·0 + 2·3 ≈ 11·1 + 2·2 + 2·0 + 3·3 ≈ 20·1 + 2·2 + 0·0 + 3·3 ≈ 11·1 + 2·2 + 0·0 + 2·3 ≈ 00·1 + 3·2 + 1·0 + 3·3 ≈ 33·1 + 3·2 + 0·0 + 2·3 ≈ 2

2 0 1 21 2 2 30 2 0 31 2 0 20 3 1 33 3 0 2

2·? + 0·? + 1·? + 2·? ≈ 11·? + 2·? + 2·? + 3·? ≈ 20·? + 2·? + 0·? + 3·? ≈ 11·? + 2·? + 0·? + 2·? ≈ 00·? + 3·? + 1·? + 3·? ≈ 33·? + 3·? + 0·? + 2·? ≈ 2

3·? + 2·? + 1·? + 0·? ≈ 3

2·1 + 0·2 + 1·0 + 2·3 = 01·1 + 2·2 + 2·0 + 3·3 = 20·1 + 2·2 + 0·0 + 3·3 = 11·1 + 2·2 + 0·0 + 2·3 = 30·1 + 3·2 + 1·0 + 3·3 = 33·1 + 3·2 + 0·0 + 2·3 = 3

3·? + 2·? + 1·? + 0·? ≈ 1

Construction of a Lattice-based Construction of a Lattice-based Collision Resistant Hash Collision Resistant Hash

FunctionFunction

Blurring a PictureBlurring a Picture

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

The Smoothing RadiusThe Smoothing Radius• Define the Define the smoothing radiussmoothing radius ==(L)>0 as (L)>0 as

the smallest real such that the smallest real such that adding adding Gaussian blur of radius Gaussian blur of radius to L yields an to L yields an essentially uniform distributionessentially uniform distribution

• The radius The radius was analyzed in was analyzed in [MicciancioR04][MicciancioR04] based on Fourier analysis based on Fourier analysis and and [Banaszczyk93][Banaszczyk93]

• It was shown that It was shown that is ‘small’ in the is ‘small’ in the sense that finding vectors of length sense that finding vectors of length poly(n)poly(n)(L) (L) implies solution to implies solution to poly(n)-poly(n)-approximate approximate SVPSVP

An Alternative Definition

• Define h:Define h:RRnn!![0,1)[0,1)nn that maps any x= that maps any x=ΣΣiivvii toto

h(x)=(h(x)=(11,…,,…,nn) mod 1.) mod 1.• E.g., any xE.g., any xL has h(x)=(0,…,0)L has h(x)=(0,…,0)

• Then an alternative way to define Then an alternative way to define is as:is as:• The smallest real such that if x is The smallest real such that if x is

sampled from a Gaussian distribution sampled from a Gaussian distribution centered around 0 of radius centered around 0 of radius , then , then h(x) is ‘essentially’ uniform on [0,1)h(x) is ‘essentially’ uniform on [0,1)nn

00

xx11xx22

xx33

xx44

((0,00,0)) (1,0)(1,0)

(0,1)(0,1) (1,1)(1,1)

h(x3)

RRnn [0,1)[0,1)nn

h(x2)

h(x4)h(x1)

Our CRHF• Fix the dimension n, let q=2Fix the dimension n, let q=22n2n, and , and

m=4nm=4n22

• Choose aChoose a11,…,a,…,amm uniformly in Z uniformly in Zqqnn. Then . Then

define fdefine faa11,…,a,…,amm:{0,1}:{0,1}mm{0,1}{0,1}nlognlog22qq by by

ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii (mod q) (mod q)

• Since m>nlogSince m>nlog22q, (many) collisions existq, (many) collisions exist• We now prove security by showing that:We now prove security by showing that:

• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen fchosen faa11,…,a,…,amm

, even with probability n, even with probability n-100-100, , implies a solution to implies a solution to anyany instance of poly(n)- instance of poly(n)-approximate SVP approximate SVP

Security Proof• Assume there exists an algorithm Assume there exists an algorithm

CollisionFind that given CollisionFind that given aa11,…,a,…,amm chosen chosen uniformly in uniformly in ZZqq

nn, finds with some non-, finds with some non-negligible probability bnegligible probability b11,…,b,…,bmm{-1,0,1} {-1,0,1} (not all zero) such that (not all zero) such that

ΣΣbbiiaai i = 0 (mod q).= 0 (mod q).• This implies an algorithm CollisionFind’ This implies an algorithm CollisionFind’

that given that given aa11,…,a,…,amm chosen uniformly from chosen uniformly from [0,1)[0,1)nn, finds with some , finds with some non-negligible non-negligible probability bprobability b11,…,b,…,bmm{-1,0,1} (not all {-1,0,1} (not all zero) such that zero) such that

ΣΣbbiiaai i (0,…,0) (mod 1) (0,…,0) (mod 1)(up to (up to m/q in each coordinate)m/q in each coordinate)

CollisionFind’

((0,00,0)) (1,0)(1,0)

(0,1)(0,1) (1,1)(1,1)

a1

a2a3

a4

a5

Output: “aOutput: “a11+a+a22-a-a44+a+a55(0,…,0) (mod 1)”(0,…,0) (mod 1)”

a6

Security ProofSecurity Proof• Our goal is to show that using Our goal is to show that using

CollisionFind’ we can find a nonzero CollisionFind’ we can find a nonzero vector of length at most poly(n)vector of length at most poly(n)(L) (L) in in anyany given lattice L given lattice L

• So let L be a given lattice with basis vSo let L be a given lattice with basis v11,,…,v…,vnn

• By using the LLL algorithm, we can By using the LLL algorithm, we can assume that vassume that v11,…,v,…,vnn are not are not ‘unreasonably’ long: say, of length at ‘unreasonably’ long: say, of length at most 2most 2nn(L)(L)

Security Proof – Main Procedure• Sample m vectors xSample m vectors x11,…,x,…,xmm from the from the

Gaussian distribution around 0 of radius Gaussian distribution around 0 of radius

• Compute aCompute a11:=h(x:=h(x11),…,a),…,amm:=h(x:=h(xmm))• Each aEach aii is uniformly distributed in [0,1) is uniformly distributed in [0,1)nn

• Apply CollisionFind’ to obtain Apply CollisionFind’ to obtain bb11,…,b,…,bm m {- {-1,0,1} such that 1,0,1} such that

ΣΣbbiih(xh(xii)) ( (m/qm/q,…,,…,m/qm/q) (mod 1)) (mod 1)

• Define y=Define y=ΣΣbbiixxii. Then,. Then,• y is y is shortshort (of length (of length mm))• y is y is extremely close to a lattice pointextremely close to a lattice point

since h(y)=since h(y)=ΣΣbbiih(xh(xii))((m/qm/q,…,,…,m/qm/q) ) (mod 1)(mod 1)

Security Proof – Main Procedure• Write y=Write y=ΣΣiivvii for some reals for some reals 11,…,,…,nn

• So each So each ii is within is within m/q of an integerm/q of an integer

• Define the lattice vector y’=Define the lattice vector y’=ΣΣiivvii

• The distanceThe distance

• So y’ is a So y’ is a lattice vectorlattice vector of length at most of length at most (m+1)(m+1)

00

xx11

xx22

xx33

xx44

CollisionFind’(aCollisionFind’(a11,a,a22,a,a33,a,a44))“-a“-a22-a-a33+a+a440 0 (mod 1)”(mod 1)”

yyy’y’

Security Proof – One Last Issue

• How to guarantee that y’ is How to guarantee that y’ is nonzerononzero??• Maybe CollisionFind’ acts in some Maybe CollisionFind’ acts in some

‘malicious’ way, trying to make y’ zero‘malicious’ way, trying to make y’ zero• It can be shown that aIt can be shown that aii does not contain does not contain

enough information about xenough information about xii

• In other words, conditioned on any fixed In other words, conditioned on any fixed aaii, x, xii still has enough randomness to still has enough randomness to guarantee that y’ is nonzero with very guarantee that y’ is nonzero with very high probabilityhigh probability

All lattices look the same after All lattices look the same after adding some small amount of blur adding some small amount of blur

Security Proof – Conclusion• By a single call to the collision finder, we By a single call to the collision finder, we

can find in can find in anyany lattice, a nonzero vector lattice, a nonzero vector of length at most (m+1)of length at most (m+1) with some non- with some non-negligible probabilitynegligible probability

• By repeating this procedure we can By repeating this procedure we can obtain such a vector with very high obtain such a vector with very high probabilityprobability

• The essential idea:The essential idea:

Open ProblemsOpen Problems

• Establish recommended parametersEstablish recommended parameters• CryptanalysisCryptanalysis• Known attacks limited to low Known attacks limited to low

dimension dimension [NguyenStern98][NguyenStern98]

• New systems New systems [Ajtai05,R05][Ajtai05,R05] are efficient are efficient and can be used with high dimensionsand can be used with high dimensions

• Improved cryptosystemsImproved cryptosystems• Use special classes of latticesUse special classes of lattices