Download presentation

Presentation is loading. Please wait.

1
**Lattice-based Cryptography**

Oded Regev Tel-Aviv University

2
**Outline Introduction to lattices Survey of lattice-based cryptography**

Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Open Problems

3
Lattice For vectors v1,…,vn in Rn we define the lattice generated by them as L={a1v1+…+anvn | ai integers} We call v1,…,vn a basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1

4
**History Geometric objects with rich structure**

Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. Recently, many interesting applications in computer science. Some highlights: LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]. Used for: Factoring rational polynomials, Solving integer programs in a fixed dimension, Breaking knapsack cryptosystems. Cryptanalysis: Coppersmith’s attacks on RSA Cryptography: Ajtai’s one-way functions and the average case connection [Ajtai96] Lattice-based cryptosystems [AjtaiDwork97] Related to Math, CS, physics… Many more works that I don’t mention LLL gives a very bad approximation The reason lattices are interesting, especially in cryptography: hard problems with lots of structure Ajtai work resulted in many papers, even a recent book % he proved that the problem is hard on average case: a random instance is hard as a worst case instance

5
**Shortest Vector Problem (SVP)**

SVP: given a lattice, find a shortest (nonzero) vector -approximate SVP: given a lattice, find a vector of length at most times the shortest Other lattice problems: SIVP, SBP, etc. v2 v1 3v2-4v1

6
**Lattice Problems Seem Hard**

Conjecture: for any =poly(n), -approximate SVP is hard Best known algorithm runs in time 2n [AjtaiKumarSivakumar01] On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85] NP-hard for sub-polynomial [Ajtai97,Micciancio01,Khot04,HavivR07] Explain the importance of average case hardness – factoring is easy 100003*2=200006 1 2log1-²n n n 2n loglogn/logn NP∩coNP crypto NP-hard P

7
**Survey of Lattice-based Cryptography**

8
**Why use lattice-based cryptography**

Provably secure Security based on a worst-case problem Based on hardness of lattice problems (Still) Not broken by quantum algorithms Very simple computations Can do more things ‘Standard’ cryptography Not always provable… Security based on an average-case problem Based on hardness of factoring, discrete log, etc. Broken by quantum algorithms Require modular exponentiation etc. Explain the importance of average case hardness – factoring is easy 100003*2=200006

9
Provable Security Reduce solving a hard problem to breaking the cryptographic function A security proof gives a strong evidence that our cryptographic function has no fundamental flaws Can also give hints as to choice of parameters Example: One-wayness of modular squaring Somehow choose N=pq for two large primes p,q f(x)=x2 mod N If we can compute square roots then we can factor N Explain the importance of average case hardness – factoring is easy 100003*2=200006

10
**Average-case hardness is not so nice…**

How do you pick a “good” N in RSA? Just pick p,q as random large primes and set N=pq? (1978) Largest prime factors of p-1,q-1 should be large (1981) p+1 and q+1 should have a large prime factor (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors Bottom line: currently, none of this is relevant Explain the importance of average case hardness – factoring is easy 100003*2=200006

11
**Provable security based on average-case hardness**

The cryptographic function is hard provided almost all N are hard to factor N fN Explain the importance of average case hardness – factoring is easy 100003*2=200006

12
**Provable security based on worst-case hardness**

The cryptographic function is hard provided the lattice problem is hard in the worst-case This is a much stronger security guarantee It assures us that our distribution is correct L fL Explain the importance of average case hardness – factoring is easy 100003*2=200006

13
**Collision-Resistant Hash Functions**

A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) First lattice-based CRHF given in [Ajtai96] Based on the worst-case hardness of n8-approximate SVP Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04] Explain the importance of average case hardness – factoring is easy 100003*2=200006

14
**The Modular Subset-Sum Function**

Let N be a big integer, and m=2log2N Choose a1,…,am uniformly in {0,…,N-1}. Then define fa1,…,am:{0,1}m{0,…,N-1} by fa1,…,am(b1,…,bm) = Σbiai mod N Since m>log2N, (many) collisions exist We will later see a proof of security: Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP Simply subset sum, no wavy distribution Family of functions

15
**Recent Work: More Efficient CRHFs**

In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] Essentially the same subset-sum function except over a different ring Only O(n) bits needed to specify a hash function Based on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices) Explain the importance of average case hardness – factoring is easy 100003*2=200006

16
**Public-key Cryptosystem**

A PKC allows parties to communicate securely without having to agree on a secret key beforehand First lattice-based PKC presented in [AjtaiDwork97] Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08] Advantages: Worst-case hardness Based on lattice problems (GapSVP) Main disadvantage: impractical! (think of n as 100): Public key size O(n4) Encryption expands by O(n2) Explain the importance of average case hardness – factoring is easy 100003*2=200006

17
**A Recent Public-key Cryptosystem [R05]**

Advantages: Worst-case hardness Based on the main lattice problems (SVP, SIVP) Main advantage: practical! (think of n as 100): Public key size O(n) Encryption expands by O(n) One (minor?) disadvantage: Breaking the cryptosystem implies an efficient quantum algorithm for lattices Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...]) Approximation factors are quite good too

18
**Example of a lattice-based PKC [R05]**

Everything modulo 4 Private key: 4 random numbers Public key: a 6x4 matrix and approximate inner product Encrypt the bit 0: Encrypt the bit 1: 2·1 + 0·2 + 1·0 + 2·3 = 0 1·1 + 2·2 + 2·0 + 3·3 = 2 0·1 + 2·2 + 0·0 + 3·3 = 1 1·1 + 2·2 + 0·0 + 2·3 = 3 0·1 + 3·2 + 1·0 + 3·3 = 3 3·1 + 3·2 + 0·0 + 2·3 = 3 2·? + 0·? + 1·? + 2·? ≈ 1 1·? + 2·? + 2·? + 3·? ≈ 2 0·? + 2·? + 0·? + 3·? ≈ 1 1·? + 2·? + 0·? + 2·? ≈ 0 0·? + 3·? + 1·? + 3·? ≈ 3 3·? + 3·? + 0·? + 2·? ≈ 2 2·1 + 0·2 + 1·0 + 2·3 ≈ 1 1·1 + 2·2 + 2·0 + 3·3 ≈ 2 0·1 + 2·2 + 0·0 + 3·3 ≈ 1 1·1 + 2·2 + 0·0 + 2·3 ≈ 0 0·1 + 3·2 + 1·0 + 3·3 ≈ 3 3·1 + 3·2 + 0·0 + 2·3 ≈ 2 3·? + 2·? + 1·? + 0·? ≈ 1 This gives n^2 but n can be achieved 3·? + 2·? + 1·? + 0·? ≈ 3

19
**Construction of a Lattice-based Collision Resistant Hash Function**

20
Blurring a Picture

21
Blurring a Lattice

22
Blurring a Lattice

23
Blurring a Lattice

24
Blurring a Lattice

25
Blurring a Lattice

26
The Smoothing Radius Define the smoothing radius =(L)>0 as the smallest real such that adding Gaussian blur of radius to L yields an essentially uniform distribution The radius was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] It was shown that is ‘small’ in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

27
**An Alternative Definition**

Define h:Rn![0,1)n that maps any x=Σivi to h(x)=(1,…,n) mod 1. E.g., any xL has h(x)=(0,…,0) Then an alternative way to define is as: The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1)n Simply subset sum, no wavy distribution Family of functions

28
**Rn [0,1)n (0,1) (1,1) h(x2) h(x3) h(x1) h(x4) (0,0) (1,0) x2 x1 x4 x3**

h(x1) Simply subset sum, no wavy distribution Family of functions h(x4) (0,0) (1,0)

29
**fa1,…,am(b1,…,bm) = Σbiai (mod q)**

Our CRHF Fix the dimension n, let q=22n, and m=4n2 Choose a1,…,am uniformly in Zqn. Then define fa1,…,am:{0,1}m{0,1}nlog2q by fa1,…,am(b1,…,bm) = Σbiai (mod q) Since m>nlog2q, (many) collisions exist We now prove security by showing that: Being able to find a collision in a randomly chosen fa1,…,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

30
**Security Proof Σbiai = 0 (mod q). Σbiai (0,…,0) (mod 1)**

Assume there exists an algorithm CollisionFind that given a1,…,am chosen uniformly in Zqn, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai = 0 (mod q). This implies an algorithm CollisionFind’ that given a1,…,am chosen uniformly from [0,1)n, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai (0,…,0) (mod 1) (up to m/q in each coordinate) Simply subset sum, no wavy distribution Family of functions

31
**CollisionFind’ a2 a3 a4 a1 a5 a6 Output: “a1+a2-a4+a5(0,…,0) (mod 1)”**

(0,1) (1,1) a2 a3 a4 a1 a5 a6 Simply subset sum, no wavy distribution Family of functions (0,0) (1,0) Output: “a1+a2-a4+a5(0,…,0) (mod 1)”

32
Security Proof Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)(L) in any given lattice L So let L be a given lattice with basis v1,…,vn By using the LLL algorithm, we can assume that v1,…,vn are not ‘unreasonably’ long: say, of length at most 2n(L) Simply subset sum, no wavy distribution Family of functions

33
**Security Proof – Main Procedure**

Sample m vectors x1,…,xm from the Gaussian distribution around 0 of radius Compute a1:=h(x1),…,am:=h(xm) Each ai is uniformly distributed in [0,1)n Apply CollisionFind’ to obtain b1,…,bm {-1,0,1} such that Σbih(xi) (m/q,…,m/q) (mod 1) Define y=Σbixi. Then, y is short (of length m) y is extremely close to a lattice point since h(y)=Σbih(xi)(m/q,…,m/q) (mod 1) Simply subset sum, no wavy distribution Family of functions

34
**Security Proof – Main Procedure**

Write y=Σivi for some reals 1,…,n So each i is within m/q of an integer Define the lattice vector y’=Σivi The distance So y’ is a lattice vector of length at most (m+1) Simply subset sum, no wavy distribution Family of functions

35
**CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”**

x1 x2 x3 x4 y’ y Simply subset sum, no wavy distribution Family of functions CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”

36
**Security Proof – One Last Issue**

How to guarantee that y’ is nonzero? Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero It can be shown that ai does not contain enough information about xi In other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y’ is nonzero with very high probability Simply subset sum, no wavy distribution Family of functions

37
**Security Proof – Conclusion**

By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability By repeating this procedure we can obtain such a vector with very high probability The essential idea: Simply subset sum, no wavy distribution Family of functions All lattices look the same after adding some small amount of blur

38
**Open Problems Establish recommended parameters Cryptanalysis**

Known attacks limited to low dimension [NguyenStern98] New systems [Ajtai05,R05] are efficient and can be used with high dimensions Improved cryptosystems Use special classes of lattices

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google