Lattice-based Cryptography

Presentation on theme: "Lattice-based Cryptography"— Presentation transcript:

Lattice-based Cryptography
Oded Regev Tel-Aviv University

Outline Introduction to lattices Survey of lattice-based cryptography
Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Open Problems

Lattice For vectors v1,…,vn in Rn we define the lattice generated by them as L={a1v1+…+anvn | ai integers} We call v1,…,vn a basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1

History Geometric objects with rich structure
Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. Recently, many interesting applications in computer science. Some highlights: LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]. Used for: Factoring rational polynomials, Solving integer programs in a fixed dimension, Breaking knapsack cryptosystems. Cryptanalysis: Coppersmith’s attacks on RSA Cryptography: Ajtai’s one-way functions and the average case connection [Ajtai96] Lattice-based cryptosystems [AjtaiDwork97] Related to Math, CS, physics… Many more works that I don’t mention LLL gives a very bad approximation The reason lattices are interesting, especially in cryptography: hard problems with lots of structure Ajtai work resulted in many papers, even a recent book % he proved that the problem is hard on average case: a random instance is hard as a worst case instance

Shortest Vector Problem (SVP)
SVP: given a lattice, find a shortest (nonzero) vector -approximate SVP: given a lattice, find a vector of length at most  times the shortest Other lattice problems: SIVP, SBP, etc. v2 v1 3v2-4v1

Lattice Problems Seem Hard
Conjecture: for any =poly(n), -approximate SVP is hard Best known algorithm runs in time 2n [AjtaiKumarSivakumar01] On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85] NP-hard for sub-polynomial  [Ajtai97,Micciancio01,Khot04,HavivR07] Explain the importance of average case hardness – factoring is easy 100003*2=200006 1 2log1-²n n n 2n loglogn/logn NP∩coNP crypto NP-hard P

Survey of Lattice-based Cryptography

Why use lattice-based cryptography
Provably secure Security based on a worst-case problem Based on hardness of lattice problems (Still) Not broken by quantum algorithms Very simple computations Can do more things ‘Standard’ cryptography Not always provable… Security based on an average-case problem Based on hardness of factoring, discrete log, etc. Broken by quantum algorithms Require modular exponentiation etc. Explain the importance of average case hardness – factoring is easy 100003*2=200006

Provable Security Reduce solving a hard problem to breaking the cryptographic function A security proof gives a strong evidence that our cryptographic function has no fundamental flaws Can also give hints as to choice of parameters Example: One-wayness of modular squaring Somehow choose N=pq for two large primes p,q f(x)=x2 mod N If we can compute square roots then we can factor N Explain the importance of average case hardness – factoring is easy 100003*2=200006

Average-case hardness is not so nice…
How do you pick a “good” N in RSA? Just pick p,q as random large primes and set N=pq? (1978) Largest prime factors of p-1,q-1 should be large (1981) p+1 and q+1 should have a large prime factor (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors Bottom line: currently, none of this is relevant Explain the importance of average case hardness – factoring is easy 100003*2=200006

Provable security based on average-case hardness
The cryptographic function is hard provided almost all N are hard to factor N fN Explain the importance of average case hardness – factoring is easy 100003*2=200006

Provable security based on worst-case hardness
The cryptographic function is hard provided the lattice problem is hard in the worst-case This is a much stronger security guarantee It assures us that our distribution is correct L fL Explain the importance of average case hardness – factoring is easy 100003*2=200006

Collision-Resistant Hash Functions
A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) First lattice-based CRHF given in [Ajtai96] Based on the worst-case hardness of n8-approximate SVP Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04] Explain the importance of average case hardness – factoring is easy 100003*2=200006

The Modular Subset-Sum Function
Let N be a big integer, and m=2log2N Choose a1,…,am uniformly in {0,…,N-1}. Then define fa1,…,am:{0,1}m{0,…,N-1} by fa1,…,am(b1,…,bm) = Σbiai mod N Since m>log2N, (many) collisions exist We will later see a proof of security: Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP Simply subset sum, no wavy distribution Family of functions

Recent Work: More Efficient CRHFs
In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] Essentially the same subset-sum function except over a different ring Only O(n) bits needed to specify a hash function Based on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices) Explain the importance of average case hardness – factoring is easy 100003*2=200006

Public-key Cryptosystem
A PKC allows parties to communicate securely without having to agree on a secret key beforehand First lattice-based PKC presented in [AjtaiDwork97] Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08] Advantages: Worst-case hardness Based on lattice problems (GapSVP) Main disadvantage: impractical! (think of n as 100): Public key size O(n4) Encryption expands by O(n2) Explain the importance of average case hardness – factoring is easy 100003*2=200006

A Recent Public-key Cryptosystem [R05]
Advantages: Worst-case hardness Based on the main lattice problems (SVP, SIVP) Main advantage: practical! (think of n as 100): Public key size O(n) Encryption expands by O(n) One (minor?) disadvantage: Breaking the cryptosystem implies an efficient quantum algorithm for lattices Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...]) Approximation factors are quite good too

Example of a lattice-based PKC [R05]
Everything modulo 4 Private key: 4 random numbers Public key: a 6x4 matrix and approximate inner product Encrypt the bit 0: Encrypt the bit 1: 2·1 + 0·2 + 1·0 + 2·3 = 0 1·1 + 2·2 + 2·0 + 3·3 = 2 0·1 + 2·2 + 0·0 + 3·3 = 1 1·1 + 2·2 + 0·0 + 2·3 = 3 0·1 + 3·2 + 1·0 + 3·3 = 3 3·1 + 3·2 + 0·0 + 2·3 = 3 2·? + 0·? + 1·? + 2·? ≈ 1 1·? + 2·? + 2·? + 3·? ≈ 2 0·? + 2·? + 0·? + 3·? ≈ 1 1·? + 2·? + 0·? + 2·? ≈ 0 0·? + 3·? + 1·? + 3·? ≈ 3 3·? + 3·? + 0·? + 2·? ≈ 2 2·1 + 0·2 + 1·0 + 2·3 ≈ 1 1·1 + 2·2 + 2·0 + 3·3 ≈ 2 0·1 + 2·2 + 0·0 + 3·3 ≈ 1 1·1 + 2·2 + 0·0 + 2·3 ≈ 0 0·1 + 3·2 + 1·0 + 3·3 ≈ 3 3·1 + 3·2 + 0·0 + 2·3 ≈ 2 3·? + 2·? + 1·? + 0·? ≈ 1 This gives n^2 but n can be achieved 3·? + 2·? + 1·? + 0·? ≈ 3

Construction of a Lattice-based Collision Resistant Hash Function

Blurring a Picture

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

The Smoothing Radius Define the smoothing radius =(L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distribution The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] It was shown that  is ‘small’ in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

An Alternative Definition
Define h:Rn![0,1)n that maps any x=Σivi to h(x)=(1,…,n) mod 1. E.g., any xL has h(x)=(0,…,0) Then an alternative way to define  is as: The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1)n Simply subset sum, no wavy distribution Family of functions

Rn [0,1)n (0,1) (1,1) h(x2) h(x3) h(x1) h(x4) (0,0) (1,0) x2 x1 x4 x3
h(x1) Simply subset sum, no wavy distribution Family of functions h(x4) (0,0) (1,0)

fa1,…,am(b1,…,bm) = Σbiai (mod q)
Our CRHF Fix the dimension n, let q=22n, and m=4n2 Choose a1,…,am uniformly in Zqn. Then define fa1,…,am:{0,1}m{0,1}nlog2q by fa1,…,am(b1,…,bm) = Σbiai (mod q) Since m>nlog2q, (many) collisions exist We now prove security by showing that: Being able to find a collision in a randomly chosen fa1,…,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

Security Proof Σbiai = 0 (mod q). Σbiai  (0,…,0) (mod 1)
Assume there exists an algorithm CollisionFind that given a1,…,am chosen uniformly in Zqn, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai = 0 (mod q). This implies an algorithm CollisionFind’ that given a1,…,am chosen uniformly from [0,1)n, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai  (0,…,0) (mod 1) (up to m/q in each coordinate) Simply subset sum, no wavy distribution Family of functions

CollisionFind’ a2 a3 a4 a1 a5 a6 Output: “a1+a2-a4+a5(0,…,0) (mod 1)”
(0,1) (1,1) a2 a3 a4 a1 a5 a6 Simply subset sum, no wavy distribution Family of functions (0,0) (1,0) Output: “a1+a2-a4+a5(0,…,0) (mod 1)”

Security Proof Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)(L) in any given lattice L So let L be a given lattice with basis v1,…,vn By using the LLL algorithm, we can assume that v1,…,vn are not ‘unreasonably’ long: say, of length at most 2n(L) Simply subset sum, no wavy distribution Family of functions

Security Proof – Main Procedure
Sample m vectors x1,…,xm from the Gaussian distribution around 0 of radius  Compute a1:=h(x1),…,am:=h(xm) Each ai is uniformly distributed in [0,1)n Apply CollisionFind’ to obtain b1,…,bm  {-1,0,1} such that Σbih(xi)  (m/q,…,m/q) (mod 1) Define y=Σbixi. Then, y is short (of length m) y is extremely close to a lattice point since h(y)=Σbih(xi)(m/q,…,m/q) (mod 1) Simply subset sum, no wavy distribution Family of functions

Security Proof – Main Procedure
Write y=Σivi for some reals 1,…,n So each i is within m/q of an integer Define the lattice vector y’=Σivi The distance So y’ is a lattice vector of length at most (m+1) Simply subset sum, no wavy distribution Family of functions

CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”
x1 x2 x3 x4 y’ y Simply subset sum, no wavy distribution Family of functions CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”

Security Proof – One Last Issue
How to guarantee that y’ is nonzero? Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero It can be shown that ai does not contain enough information about xi In other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y’ is nonzero with very high probability Simply subset sum, no wavy distribution Family of functions

Security Proof – Conclusion
By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability By repeating this procedure we can obtain such a vector with very high probability The essential idea: Simply subset sum, no wavy distribution Family of functions All lattices look the same after adding some small amount of blur

Open Problems Establish recommended parameters Cryptanalysis
Known attacks limited to low dimension [NguyenStern98] New systems [Ajtai05,R05] are efficient and can be used with high dimensions Improved cryptosystems Use special classes of lattices