Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University.

Similar presentations


Presentation on theme: "Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University."— Presentation transcript:

1 Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University

2 Outline Introduction to lattices Introduction to lattices Survey of lattice-based cryptography Survey of lattice-based cryptography Hash functions [Ajtai96,…] Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Construction of a simple lattice-based hash function Open Problems Open Problems

3 Lattice v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1 For vectors v 1,…,v n in R n we define the lattice generated by them asFor vectors v 1,…,v n in R n we define the lattice generated by them as L={a 1 v 1 +…+a n v n | a i integers} L={a 1 v 1 +…+a n v n | a i integers} We call v 1,…,v n a basis of LWe call v 1,…,v n a basis of L

4 4 Geometric objects with rich structure Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski Recently, many interesting applications in computer science. Some highlights: –LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]. Used for: Factoring rational polynomials, Solving integer programs in a fixed dimension, Breaking knapsack cryptosystems. –Cryptanalysis: Coppersmiths attacks on RSA –Cryptography: Ajtais one-way functions and the average case connection [Ajtai96] Lattice-based cryptosystems [AjtaiDwork97]History

5 SVP: given a lattice, find a shortest (nonzero) vector SVP: given a lattice, find a shortest (nonzero) vector -approximate SVP: given a lattice, find a vector of length at most times the shortest -approximate SVP: given a lattice, find a vector of length at most times the shortest Other lattice problems: SIVP, SBP, etc. Other lattice problems: SIVP, SBP, etc. Shortest Vector Problem (SVP) 0 v2v2 v1v1 3v 2 -4v 1

6 Conjecture: for any =poly(n), -approximate SVP is hardConjecture: for any =poly(n), -approximate SVP is hard –Best known algorithm runs in time 2 n [AjtaiKumarSivakumar01] –On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] Best poly-time algorithm solves for =2 nloglogn/logn [LLL82, Schnorr85]Best poly-time algorithm solves for =2 nloglogn/logn [LLL82, Schnorr85] NP-hard for sub-polynomial [Ajtai97,Micciancio01,Khot04,HavivR07]NP-hard for sub-polynomial [Ajtai97,Micciancio01,Khot04,HavivR07] Lattice Problems Seem Hard 2 n loglogn/logn NP-hardNP-hard PP 2 log 1- ² n nn n n NP coNP cryptocrypto 11

7 Survey of Lattice-based Cryptography

8 Standard cryptographyStandard cryptography Not always provable… Not always provable… Security based on an average-case problem Security based on an average-case problem Based on hardness of factoring, discrete log, etc. Based on hardness of factoring, discrete log, etc. Broken by quantum algorithms Broken by quantum algorithms Require modular exponentiation etc. Require modular exponentiation etc. Why use lattice-based cryptography Lattice-based cryptographyLattice-based cryptography Provably secure Provably secure Security based on a worst-case problem Security based on a worst-case problem Based on hardness of lattice problems Based on hardness of lattice problems (Still) Not broken by quantum algorithms (Still) Not broken by quantum algorithms Very simple computations Very simple computations Can do more things Can do more things

9 Reduce solving a hard problem to breaking the cryptographic functionReduce solving a hard problem to breaking the cryptographic function A security proof gives a strong evidence that our cryptographic function has no fundamental flawsA security proof gives a strong evidence that our cryptographic function has no fundamental flaws Can also give hints as to choice of parametersCan also give hints as to choice of parameters Example: One-wayness of modular squaringExample: One-wayness of modular squaring –Somehow choose N=pq for two large primes p,q –f(x)=x 2 mod N –If we can compute square roots then we can factor N Provable Security

10 How do you pick a good N in RSA?How do you pick a good N in RSA? Just pick p,q as random large primes and set N=pq?Just pick p,q as random large primes and set N=pq? –(1978) Largest prime factors of p-1,q-1 should be large –(1981) p+1 and q+1 should have a large prime factor –(1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors –(1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors Bottom line: currently, none of this is relevantBottom line: currently, none of this is relevant Average-case hardness is not so nice…

11 The cryptographic function is hard provided almost all N are hard to factorThe cryptographic function is hard provided almost all N are hard to factor Provable security based on average- case hardness N fNfNfNfN

12 The cryptographic function is hard provided the lattice problem is hard in the worst-caseThe cryptographic function is hard provided the lattice problem is hard in the worst-case This is a much stronger security guaranteeThis is a much stronger security guarantee It assures us that our distribution is correctIt assures us that our distribution is correct Provable security based on worst-case hardness L fLfLfLfL

13 A CRHF is a function f:{0,1} r {0,1} s with r>s such that it is hard to find collisions, i.e.,A CRHF is a function f:{0,1} r {0,1} s with r>s such that it is hard to find collisions, i.e., x y s.t. f(x)=f(y) First lattice-based CRHF given in [Ajtai96]First lattice-based CRHF given in [Ajtai96] –Based on the worst-case hardness of n 8 -approximate SVP Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04]Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] Current state-of-the-art is a CRHF based on n- approximate SVP [MicciancioR04]Current state-of-the-art is a CRHF based on n- approximate SVP [MicciancioR04] Collision-Resistant Hash Functions

14 The Modular Subset-Sum Function Let N be a big integer, and m=2log 2 NLet N be a big integer, and m=2log 2 N Choose a 1,…,a m uniformly in {0,…,N-1}. Then define f a 1,…,a m :{0,1} m {0,…,N-1} byChoose a 1,…,a m uniformly in {0,…,N-1}. Then define f a 1,…,a m :{0,1} m {0,…,N-1} by f a 1,…,a m (b 1,…,b m ) = Σ b i a i mod N Since m>log 2 N, (many) collisions existSince m>log 2 N, (many) collisions exist We will later see a proof of security:We will later see a proof of security: Being able to find a collision in a randomly chosen f, even with probability n -100 implies a solution to any instance of approximate-SVPBeing able to find a collision in a randomly chosen f, even with probability n -100 implies a solution to any instance of approximate-SVP

15 In the constructions above, for security based on n- dimensional lattices, O(n 2 ) bits are necessary to specify a hash functionIn the constructions above, for security based on n- dimensional lattices, O(n 2 ) bits are necessary to specify a hash function More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06]More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] –Essentially the same subset-sum function except over a different ring –Only O(n) bits needed to specify a hash function –Based on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices) Recent Work: More Efficient CRHFs

16 A PKC allows parties to communicate securely without having to agree on a secret key beforehand A PKC allows parties to communicate securely without having to agree on a secret key beforehand First lattice-based PKC presented in [AjtaiDwork97]First lattice-based PKC presented in [AjtaiDwork97] –Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08] Advantages: Advantages: Worst-case hardness Worst-case hardness Based on lattice problems (GapSVP) Based on lattice problems (GapSVP) Main disadvantage: impractical! (think of n as 100): Main disadvantage: impractical! (think of n as 100): Public key size O(n 4 ) Public key size O(n 4 ) Encryption expands by O(n 2 ) Encryption expands by O(n 2 ) Public-key Cryptosystem

17 A Recent Public-key Cryptosystem [R05] Advantages: Advantages: Worst-case hardness Worst-case hardness Based on the main lattice problems (SVP, SIVP) Based on the main lattice problems (SVP, SIVP) Main advantage: practical! (think of n as 100): Main advantage: practical! (think of n as 100): Public key size O(n) Public key size O(n) Encryption expands by O(n) Encryption expands by O(n) One (minor?) disadvantage: One (minor?) disadvantage: Breaking the cryptosystem implies an efficient quantum algorithm for lattices Breaking the cryptosystem implies an efficient quantum algorithm for lattices Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09,...]) Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09,...])

18 Example of a lattice-based PKC [R05] Everything modulo 4 Everything modulo 4 Private key: 4 random numbers Private key: 4 random numbers Public key: a 6x4 matrix and approximate inner product Public key: a 6x4 matrix and approximate inner product Encrypt the bit 0: Encrypt the bit 0: Encrypt the bit 1: Encrypt the bit 1: 2·1 + 0·2 + 1·0 + 2·3 1 1·1 + 2·2 + 2·0 + 3·3 2 0·1 + 2·2 + 0·0 + 3·3 1 1·1 + 2·2 + 0·0 + 2·3 0 0·1 + 3·2 + 1·0 + 3·3 3 3·1 + 3·2 + 0·0 + 2· ·? + 0·? + 1·? + 2·? 1 1·? + 2·? + 2·? + 3·? 2 0·? + 2·? + 0·? + 3·? 1 1·? + 2·? + 0·? + 2·? 0 0·? + 3·? + 1·? + 3·? 3 3·? + 3·? + 0·? + 2·? 2 3·? + 2·? + 1·? + 0·? 3 2·1 + 0·2 + 1·0 + 2·3 = 0 1·1 + 2·2 + 2·0 + 3·3 = 2 0·1 + 2·2 + 0·0 + 3·3 = 1 1·1 + 2·2 + 0·0 + 2·3 = 3 0·1 + 3·2 + 1·0 + 3·3 = 3 3·1 + 3·2 + 0·0 + 2·3 = 3 3·? + 2·? + 1·? + 0·? 1

19 Construction of a Lattice-based Collision Resistant Hash Function

20 Blurring a Picture

21 Blurring a Lattice

22

23

24

25

26 The Smoothing Radius Define the smoothing radius = (L)>0 as the smallest real such that adding Gaussian blur of radius to L yields an essentially uniform distributionDefine the smoothing radius = (L)>0 as the smallest real such that adding Gaussian blur of radius to L yields an essentially uniform distribution The radius was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93]The radius was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] It was shown that is small in the sense that finding vectors of length poly(n) (L) implies solution to poly(n)-approximate SVPIt was shown that is small in the sense that finding vectors of length poly(n) (L) implies solution to poly(n)-approximate SVP

27 An Alternative Definition Define h: R n ! [0,1) n that maps any x= Σ i v i toDefine h: R n ! [0,1) n that maps any x= Σ i v i to h(x)=( 1,…, n ) mod 1. E.g., any x L has h(x)=(0,…,0)E.g., any x L has h(x)=(0,…,0) Then an alternative way to define is as:Then an alternative way to define is as: The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius, then h(x) is essentially uniform on [0,1) nThe smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius, then h(x) is essentially uniform on [0,1) n

28 0 x1x1x1x1 x2x2x2x2 x3x3x3x3 x4x4x4x4 (0,0)(1,0) (0,1) (1,1) h(x 3 ) RnRnRnRn [0,1) n h(x 2 ) h(x 4 ) h(x 1 )

29 Our CRHF Fix the dimension n, let q=2 2n, and m=4n 2Fix the dimension n, let q=2 2n, and m=4n 2 Choose a 1,…,a m uniformly in Z q n. Then define f a 1,…,a m :{0,1} m {0,1} nlog 2 q byChoose a 1,…,a m uniformly in Z q n. Then define f a 1,…,a m :{0,1} m {0,1} nlog 2 q by f a 1,…,a m (b 1,…,b m ) = Σ b i a i (mod q) Since m>nlog 2 q, (many) collisions existSince m>nlog 2 q, (many) collisions exist We now prove security by showing that:We now prove security by showing that: Being able to find a collision in a randomly chosen f a 1,…,a m, even with probability n -100, implies a solution to any instance of poly(n)-approximate SVPBeing able to find a collision in a randomly chosen f a 1,…,a m, even with probability n -100, implies a solution to any instance of poly(n)-approximate SVP

30 Security Proof Assume there exists an algorithm CollisionFind that given a 1,…,a m chosen uniformly in Z q n, finds with some non-negligible probability b 1,…,b m {-1,0,1} (not all zero) such thatAssume there exists an algorithm CollisionFind that given a 1,…,a m chosen uniformly in Z q n, finds with some non-negligible probability b 1,…,b m {-1,0,1} (not all zero) such that Σ b i a i = 0 (mod q). This implies an algorithm CollisionFind that given a 1,…,a m chosen uniformly from [0,1) n, finds with some non-negligible probability b 1,…,b m {-1,0,1} (not all zero) such thatThis implies an algorithm CollisionFind that given a 1,…,a m chosen uniformly from [0,1) n, finds with some non-negligible probability b 1,…,b m {-1,0,1} (not all zero) such that Σ b i a i (0,…,0) (mod 1) (up to m/q in each coordinate)

31 CollisionFind (0,0)(1,0) (0,1) (1,1) a1a1 a2a2 a3a3 a4a4 a5a5 Output: a 1 +a 2 -a 4 +a 5 (0,…,0) (mod 1) a6a6

32 Security Proof Our goal is to show that using CollisionFind we can find a nonzero vector of length at most poly(n) (L) in any given lattice LOur goal is to show that using CollisionFind we can find a nonzero vector of length at most poly(n) (L) in any given lattice L So let L be a given lattice with basis v 1,…,v nSo let L be a given lattice with basis v 1,…,v n By using the LLL algorithm, we can assume that v 1,…,v n are not unreasonably long: say, of length at most 2 n (L)By using the LLL algorithm, we can assume that v 1,…,v n are not unreasonably long: say, of length at most 2 n (L)

33 Security Proof – Main Procedure Sample m vectors x 1,…,x m from the Gaussian distribution around 0 of radiusSample m vectors x 1,…,x m from the Gaussian distribution around 0 of radius Compute a 1 :=h(x 1 ),…,a m :=h(x m )Compute a 1 :=h(x 1 ),…,a m :=h(x m ) Each a i is uniformly distributed in [0,1) nEach a i is uniformly distributed in [0,1) n Apply CollisionFind to obtain b 1,…,b m {-1,0,1} such thatApply CollisionFind to obtain b 1,…,b m {-1,0,1} such that Σ b i h(x i ) ( m/q,…, m/q) (mod 1) Define y= Σ b i x i. Then,Define y= Σ b i x i. Then, y is short (of length m )y is short (of length m ) y is extremely close to a lattice point since h(y)= Σ b i h(x i ) ( m/q,…, m/q) (mod 1)y is extremely close to a lattice point since h(y)= Σ b i h(x i ) ( m/q,…, m/q) (mod 1)

34 Security Proof – Main Procedure Write y= Σ i v i for some reals 1,…, nWrite y= Σ i v i for some reals 1,…, n So each i is within m/q of an integerSo each i is within m/q of an integer Define the lattice vector y= Σ i v iDefine the lattice vector y= Σ i v i The distanceThe distance So y is a lattice vector of length at most (m+1)So y is a lattice vector of length at most (m+1)

35 0 x1x1x1x1 x2x2x2x2 x3x3x3x3 x4x4x4x4 CollisionFind(a 1,a 2,a 3,a 4 ) -a 2 -a 3 +a 4 0 (mod 1) y y

36 Security Proof – One Last Issue How to guarantee that y is nonzero?How to guarantee that y is nonzero? Maybe CollisionFind acts in some malicious way, trying to make y zeroMaybe CollisionFind acts in some malicious way, trying to make y zero It can be shown that a i does not contain enough information about x iIt can be shown that a i does not contain enough information about x i In other words, conditioned on any fixed a i, x i still has enough randomness to guarantee that y is nonzero with very high probabilityIn other words, conditioned on any fixed a i, x i still has enough randomness to guarantee that y is nonzero with very high probability

37 All lattices look the same after adding some small amount of blur Security Proof – Conclusion By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probabilityBy a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability By repeating this procedure we can obtain such a vector with very high probabilityBy repeating this procedure we can obtain such a vector with very high probability The essential idea:The essential idea:

38 Open Problems Establish recommended parameters Establish recommended parameters Cryptanalysis Cryptanalysis Known attacks limited to low dimension [NguyenStern98] Known attacks limited to low dimension [NguyenStern98] New systems [Ajtai05,R05] are efficient and can be used with high dimensions New systems [Ajtai05,R05] are efficient and can be used with high dimensions Improved cryptosystems Improved cryptosystems Use special classes of lattices Use special classes of lattices


Download ppt "Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University."

Similar presentations


Ads by Google