1. Lattice-Based Cryptography

2. Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems
Worst-Case
Average-Case
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
(Minicrypt)
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Cryptomania)

3. Learning With Errors Problem
Find the secret s
a1, b1=<a1,s>+e1
a2, b2=<a2,s>+e2 …
s is chosen randomly in Zqn
ai are chosen randomly from Zqn
ei are “small” elements in Zq

4. (Decisional) Learning With Errors Problem
Distinguish between these two distributions:
Oracle 1
Oracle 2
a1, b1=<a1,s>+e1
a2, b2=<a2,s>+e2 …
a1, b1
a2, b2 …
s is chosen randomly in Zqn
ai are chosen randomly from Zqn
ei are “small” elements in Zq
ai are chosen randomly from Zqn
bi are chosen randomly from Zq

5. LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq
v, g = guess for <v,s>
if g = <v,s>, then we will produce Oracle 1 distribution
if g ≠ <v,s>, then we will produce Oracle 2 distribution
Use distinguisher to tell us whether the guess for <v,s> was correct
can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s
(a, b)=(a,<a,s>+e)
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)
if g=<v,s>, then
(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>)
=(a+rv,<a+rv,s>+e)

6. LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq
v, g = guess for <v,s>
if g = <v,s>, then we will produce Oracle 1 distribution
if g ≠ <v,s>, then we will produce Oracle 2 distribution
Use distinguisher to tell us whether the guess for <v,s> was correct
can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s
(a, b)=(a,<a,s>+e)
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)
if g≠<v,s>, then g=<v,s>+g'
(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg')
=(a+rv,<a+rv,s>+e+rg')
r is independent of a+rv, s, e
so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q

7. Learning With Errors Problem
. . . a1 s e b a2 + = am
ai , s are in Zqn
e is in Zqm All coefficients of e are < sqrt(q)

8. Learning With Errors Problem+ =
A is in Zqm x n s is in Zqn e is in Zqm
All coefficients of e are < sqrt(q)
LWE problem: Distinguish (A,As+e) from (A,b) where b is random

9. Public Key Encryption Based on LWE
Secret Key: s in Zqn
Public Key: A in Zqm x n , b=As+e
each coefficient of e is < sqrt(q) A s e b + =
Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b
+ z(q/2)

10. Proof of Semantic Securityb r A r b + =
+ z(q/2)
If b is random, then (A,rA,<r,b>) is also completely random.
So (A,rA,<r,b>+z(q/2)) is also completely random.
Since (A,b) looks random (based on the hardness of LWE),
so does (A,rA,<r,b>+z(q/2)) for any z

11. Decryption A s e b r A r b + = n m
+ z(q/2)
Have (u,v) where u=rA and v=<r,b>+z(q/2)
Compute (<u,s> - v)
If <u,s> - v is closer to 0 than to q/2, then decrypt to 0
If <u,s> - v is closer to q/2 than to 0, then decrypt to 1
<u,s> - v = rAs – r(As+e) -z(q/2)
=<r,e> - z(q/2)
if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q)
So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

12. Lattices in Practice Lattices have some great features
Very strong security proofs
The schemes are fairly simple
Relatively efficient
But there is a major drawback
Schemes have very large keys

13. Hash Function Description of the hash function: a1,...,am in Zqn
Input: Bit-string z1...zm in {0,1}: a1 a2 am
h(z1...zm) = z1 + z2
+ … + zm
Sample parameters:
n=64, m=1024, p=257
Domain size: (1024 bits)
Range size: (≈ 512 bits)
Function description: log(257)*64*1024 ≈ 525,000 bits

14. Public-Key Cryptosystem
(Textbook) RSA:
Key-size: ≈ 2048 bits
Ciphertext length (2048 bit message): ≈ bits
LWE-based scheme:
Key-size: ≈ 600,000 bits
Ciphertext length (2048 bit message): ≈ 40,000 bits

15. Source of Inefficiencyz A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3
h(z) = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 m 1 1
Require O(mn) storage
Computing the function takes O(mn) time

16. A More Efficient Idea z A Now A only requires m storage4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 1 m 1 1
Now A only requires m storage
Az can be computed faster as well

17. (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
A More Efficient Idea A z 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
in Zp[x]/(xn-1)

18. Interlude: What is Zp[x]/(xn-1)?
Z = integers
Zp=integers modulo p
Zp[x] = polynomials with coefficients in Zp
Example if p=3: 1+x, 2+x2+x1001
Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp
Example if p=3 and n=4: 1+x, 2+x+x2

19. Operations in Zp[x]/(xn-1)?
Addition:
Addition of polynomials modulo p
Example if p=3 and n=4:
(1+x2) + (2+x2+x3)=2x2+x3
Multiplication:
Polynomial multiplication modulo p and xn-1
(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x = 2+3x2+x3+1+x = x+x3

20. A More Efficient Idea z A4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT

21. Great, a Better Hash Function!
Sample parameters:
n=64, m=1024, p=257
Domain size: (1024 bits)
Range size: (≈ 512 bits)
Function description: log(257)*64*1024 ≈ 525,000 bits
“New function” description: log(257)*64*16 ≈ 8192 bits
and it's much faster!

22. But Is it Hard to Find Collisions?z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m
NO!

23. Finding Collisions D R h h R' D'

24. Finding Collisions in Zqn = +4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1
in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10
How many possibilities are there for this vector? qn
There is a way to pick the z vector “smarter” so that the number of possibilities is just q

25. Finding Collisions 4 1 2 7 7 4 1 2 = 2 7 4 1 1 2 7 4 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14

26. Finding Collisions = in Zqn +4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 =
in Zqn + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10
Set each block of z to either all 0's or all 1's
How many possibilities for z are there?
2# of blocks
Need 2# of blocks > q to guarantee a collision of this form
# of blocks > log q

27. Collision-Resistant Hash Function
Given: Vectors a1,...,am in Zqn
Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2
+ … + zm
in Zqn =
A=(a1,...,am) Define hA: {0,1}m → Zqn where
hA(z1,...,zm)=a1z1 + … + amzm
Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn)
Set m>nlog q to get compression
# of blocks = m/n > logq

28. But … A z = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 n = 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 m
Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r

29. Lattice Problems
for “Cyclic Lattices”
Worst-Case
Average-Case
One-Way Functions

30. Cyclic Lattices A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2
2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4
3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

31. Cyclic Lattices=Ideals in Z[x]/(xn-1)
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2
2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4
3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

32. (xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2
2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4
3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

33. What About Hash Functions?z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m
Not Collision-Resistant

34. A “Simple” Modificationz 4 -1 -2 -7 10 -7 -1
-13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 m
Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

35. Small Integer Solution Problem (SIS)
Lattice Problems for
(xn+1)-Ideal Latices
Worst-Case
Average-Case
Small Integer Solution
Problem (SIS)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
(Minicrypt)

36. (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L 4 3 2 1 + 6 3 -2 -7 = 10 6 -6
2.) For all v in L, -v is also in L 4 3 2 1 -4 -3 -2 -1
3.) For all v in L, its “negative rotation” is also in L -4 3 2 -1 4 1 3 2 1 -4 -4 3 2 -1 1 -3 -4 3 2 -1 1 -3 -2

37. So How Efficient are the Ideal Lattice Constructions?
Collision-resistant hash functions
More efficient than any other provably-secure hash function
Almost as efficient as the ones used in practice
Can only prove collision-resistance
Signature schemes
Theoretically, very efficient
In practice, efficient
Key length ≈ 20,000 bits
Signature length ≈ 50,000 bits