Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA

Outline Introduction to lattices Introduction to lattices Survey of lattice-based cryptography Survey of lattice-based cryptography Hash functions [Ajtai96,…] Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Construction of a simple lattice-based hash function Open Problems Open Problems

For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is the set of points For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is the set of points L={a 1 v 1 + … +a n v n | a i integers} L={a 1 v 1 + … +a n v n | a i integers} These vectors form a basis of L These vectors form a basis of L Lattice v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1

Geometric objects with rich structure Investigated since 1800 by Lagrange, Gauss, Hermite, and Minkowski More recent developments: –LLL algorithm: finds ‘somewhat short’ vectors in lattices [LenstraLenstraLovàsz82]. Applications include: Factoring polynomials over the rationals Solving integer programs in fixed dimension Cryptanalysis: –Breaking knapsack cryptosystems [LagariasOdlyzko85] –Breaking special cases of RSA [Coppersmith01] –And more… –Ajtai’s lattice-based cryptographic construction [Ajtai96] History of Lattices

SVP: given a lattice, find a shortest (nonzero) vector SVP: given a lattice, find a shortest (nonzero) vector  - approximate SVP: given a lattice, find a vector of length at most  times the shortest  - approximate SVP: given a lattice, find a vector of length at most  times the shortest Other lattice problems: SIVP, SBP, etc. Other lattice problems: SIVP, SBP, etc. Shortest Vector Problem (SVP) 0 v2v2 v1v1 3v 2 -4v 1

We’ll be interested in  -approximate SVP for  =poly(n) –Best known algorithm runs in time 2 n [AjtaiKumarSivakumar01] –On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] Best poly-time algorithm solves for  =2 nloglogn/logn [LLL82, Schnorr85] NP-hard for sub-polynomial  [Khot04] Lattice Problems Seem Hard 2 n loglogn/logn NP-hard P P 2 ^( log 1-  n) n n nn nn NP ∩ coNP crypto  11

Survey of Lattice-based Cryptography

‘Standard’ cryptography  Based on hardness of factoring, discrete log, etc.  Based on an average- case assumption  Broken by quantum algorithms  Require modular exponentiation etc. Why use lattice-based cryptography Lattice-based cryptographyLattice-based cryptography Based on hardness of lattice problems Based on hardness of lattice problems Based on a worst- case assumption Based on a worst- case assumption (Still) Not broken by quantum algorithms (Still) Not broken by quantum algorithms Very simple computations Very simple computations

A CRHF is a function f:{0,1} r  {0,1} s with r>s such that it is hard to find collisions, i.e., x  y s.t. f(x)=f(y) First lattice-based CRHF given in [Ajtai96] –Based on the worst-case hardness of n 8 -approximate SVP Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04] Collision-Resistant Hash Functions

The Modular Subset-Sum Function Let N be a big integer, and m=2log 2 NLet N be a big integer, and m=2log 2 N Choose a 1,…,a m uniformly in {0,…,N-1}. Then define f a 1,…,a m :{0,1} m  {0,…,N-1} byChoose a 1,…,a m uniformly in {0,…,N-1}. Then define f a 1,…,a m :{0,1} m  {0,…,N-1} by f a 1,…,a m (b 1,…,b m ) = Σ b i a i mod N Since m>log 2 N, (many) collisions existSince m>log 2 N, (many) collisions exist We will later see a proof of security:We will later see a proof of security: Being able to find a collision in a randomly chosen f, even with probability n -100 implies a solution to any instance of approximate-SVPBeing able to find a collision in a randomly chosen f, even with probability n -100 implies a solution to any instance of approximate-SVP

In the constructions above, for security based on n-dimensional lattices, O(n 2 ) bits are necessary to specify a hash function More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] –Only O(n) bits needed to specify a hash function –Based on worst-case hardness of approximate- SVP on a restricted class of lattices known as cyclic lattices Recent Work: More Efficient CRHFs

A PKC allows parties to communicate securely without having to agree on a secret key beforehand First lattice-based PKC presented in [AjtaiDwork97] –Some improvements [GoldreichGoldwasserHalevi97, R03] Security based on the worst-case hardness of a special case of SVP known as unique-SVP Some disadvantages: Based only on unique-SVP Impractical (think of n as  100): Public key size O(n 4 ) Encryption expands by O(n 2 ) Public-key Cryptosystem

A Recent Public-key Cryptosystem [Ajtai05] Main advantages: Main advantages: Practical (think of n as  100): Practical (think of n as  100): Public key size O(n) Public key size O(n) Encryption expands by O(n) Encryption expands by O(n) Some disadvantages: Some disadvantages: Not based on lattice problems Not based on lattice problems No worst-case hardness No worst-case hardness

Another Recent Public-key Cryptosystem [R05] Main advantages: Main advantages: Practical (think of n as  100): Practical (think of n as  100): Public key size O(n) Public key size O(n) Encryption expands by O(n) Encryption expands by O(n) Worst-case hardness Worst-case hardness Based on the main lattice problems (SVP, SIVP) Based on the main lattice problems (SVP, SIVP) One disadvantage: One disadvantage: Breaking the cryptosystem implies an efficient quantum algorithm for lattices Breaking the cryptosystem implies an efficient quantum algorithm for lattices

Example of a lattice-based PKC [R05] Everything modulo 4 Everything modulo 4 Private key: 4 random numbers Private key: 4 random numbers Public key: a 6x4 matrix and approximate inner product Public key: a 6x4 matrix and approximate inner product Encrypt the bit 0: Encrypt the bit 0: Encrypt the bit 1: Encrypt the bit 1: 2·1 + 0·2 + 1·0 + 2·3 ≈ 1 1·1 + 2·2 + 2·0 + 3·3 ≈ 2 0·1 + 2·2 + 0·0 + 3·3 ≈ 1 1·1 + 2·2 + 0·0 + 2·3 ≈ 0 0·1 + 3·2 + 1·0 + 3·3 ≈ 3 3·1 + 3·2 + 0·0 + 2·3 ≈ ·? + 0·? + 1·? + 2·? ≈ 1 1·? + 2·? + 2·? + 3·? ≈ 2 0·? + 2·? + 0·? + 3·? ≈ 1 1·? + 2·? + 0·? + 2·? ≈ 0 0·? + 3·? + 1·? + 3·? ≈ 3 3·? + 3·? + 0·? + 2·? ≈ 2 3·? + 2·? + 1·? + 0·? ≈ 3 2·1 + 0·2 + 1·0 + 2·3 = 0 1·1 + 2·2 + 2·0 + 3·3 = 2 0·1 + 2·2 + 0·0 + 3·3 = 1 1·1 + 2·2 + 0·0 + 2·3 = 3 0·1 + 3·2 + 1·0 + 3·3 = 3 3·1 + 3·2 + 0·0 + 2·3 = 3 3·? + 2·? + 1·? + 0·? ≈ 1

Construction of a Lattice-based Collision Resistant Hash Function

Blurring a Picture

Blurring a Lattice

The Smoothing Radius Define the smoothing radius  =  (L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distributionDefine the smoothing radius  =  (L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distribution The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93]The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] It was shown that  is ‘small’ in the sense that finding vectors of length poly(n)  (L) implies solution to poly(n)-approximate SVPIt was shown that  is ‘small’ in the sense that finding vectors of length poly(n)  (L) implies solution to poly(n)-approximate SVP

An Alternative Definition Define h:R n  [0,1) n that maps any x= Σ  i v i toDefine h:R n  [0,1) n that maps any x= Σ  i v i to h(x)=(  1,…,  n ) mod 1. E.g., any x  L has h(x)=(0,…,0)E.g., any x  L has h(x)=(0,…,0) Then the alternative way to define  is as:Then the alternative way to define  is as: The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1) nThe smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1) n

0 x1x1x1x1 x2x2x2x2 x3x3x3x3 x4x4x4x4 (0,0)(1,0) (0,1) (1,1) h(x 3 ) RnRnRnRn [0,1) n h(x 2 ) h(x 4 ) h(x 1 )

Our CRHF Fix the dimension n, let q=2 2n, and m=4n 2Fix the dimension n, let q=2 2n, and m=4n 2 Choose a 1,…,a m uniformly in Z q n. Then define f a 1,…,a m :{0,1} m  {0,1} nlog 2 q byChoose a 1,…,a m uniformly in Z q n. Then define f a 1,…,a m :{0,1} m  {0,1} nlog 2 q by f a 1,…,a m (b 1,…,b m ) = Σ b i a i (mod q) Since m>nlog 2 q, (many) collisions existSince m>nlog 2 q, (many) collisions exist We now prove security by showing that:We now prove security by showing that: Being able to find a collision in a randomly chosen f a 1,…,a m, even with probability n -100, implies a solution to any instance of poly(n)-approximate SVPBeing able to find a collision in a randomly chosen f a 1,…,a m, even with probability n -100, implies a solution to any instance of poly(n)-approximate SVP

Security Proof Assume there exists an algorithm CollisionFind that given a 1,…,a m chosen uniformly in  Z q n, finds with some non- negligible probability b 1,…,b m  {-1,0,1} (not all zero) such thatAssume there exists an algorithm CollisionFind that given a 1,…,a m chosen uniformly in  Z q n, finds with some non- negligible probability b 1,…,b m  {-1,0,1} (not all zero) such that Σ b i a i = 0 (mod q). This implies an algorithm CollisionFind’ that given a 1,…,a m chosen uniformly from [0,1) n, finds with some non-negligible probability b 1,…,b m  {-1,0,1} (not all zero) such thatThis implies an algorithm CollisionFind’ that given a 1,…,a m chosen uniformly from [0,1) n, finds with some non-negligible probability b 1,…,b m  {-1,0,1} (not all zero) such that Σ b i a i  (0,…,0) (mod 1) (up to  m/q in each coordinate)

CollisionFind’ (0,0)(1,0) (0,1) (1,1) a1a1 a2a2 a3a3 a4a4 a5a5 Output: “a 1 +a 2 -a 4 +a 5  (0,…,0) (mod 1)” a6a6

Security Proof Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)  (L) in any given lattice LOur goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)  (L) in any given lattice L So let L be a given lattice with basis v 1,…,v nSo let L be a given lattice with basis v 1,…,v n By using the LLL algorithm, we can assume that v 1,…,v n are not ‘unreasonably’ long: say, of length at most 2 n  (L)By using the LLL algorithm, we can assume that v 1,…,v n are not ‘unreasonably’ long: say, of length at most 2 n  (L)

Security Proof – Main Procedure Sample m vectors x 1,…,x m from the Gaussian distribution around 0 of radius Sample m vectors x 1,…,x m from the Gaussian distribution around 0 of radius  Compute a 1 :=h(x 1 ),…,a m :=h(x m )Compute a 1 :=h(x 1 ),…,a m :=h(x m ) Each a i is uniformly distributed in [0,1) nEach a i is uniformly distributed in [0,1) n Apply CollisionFind’ to obtain b 1,…,b m  {-1, 0,1} such thatApply CollisionFind’ to obtain b 1,…,b m  {-1, 0,1} such that Σ b i h(x i )  (  m/q,…,  m/q) (mod 1) Define y= Σ b i x i. Then,Define y= Σ b i x i. Then, y is short (of length  m  )y is short (of length  m  ) y is extremely close to a lattice point since h(y)= Σ b i h(x i )  (  m/q,…,  m/q) (mod 1)y is extremely close to a lattice point since h(y)= Σ b i h(x i )  (  m/q,…,  m/q) (mod 1)

Security Proof – Main Procedure Write y= Σ  i v i for some reals  1,…,  nWrite y= Σ  i v i for some reals  1,…,  n So each  i is within  m/q of an integerSo each  i is within  m/q of an integer Define the lattice vector y’= Σ    i  v iDefine the lattice vector y’= Σ    i  v i The distanceThe distance So y’ is a lattice vector of length at most  (m+1) So y’ is a lattice vector of length at most  (m+1) 

0 x1x1x1x1 x2x2x2x2 x3x3x3x3 x4x4x4x4 CollisionFind’ (a 1,a 2,a 3,a 4 )  “-a 2 -a 3 +a 4  0 (mod 1)” y Y’

Security Proof – One Last Issue How to guarantee that y’ is nonzero?How to guarantee that y’ is nonzero? Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zeroMaybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero It can be shown that a i does not contain enough information about x iIt can be shown that a i does not contain enough information about x i In other words, conditioned on any fixed a i, x i still has enough randomness to guarantee that y’ is nonzero with very high probabilityIn other words, conditioned on any fixed a i, x i still has enough randomness to guarantee that y’ is nonzero with very high probability

All lattices look the same after adding some small amount of blur Security Proof – Conclusion By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1)  with some non- negligible probabilityBy a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1)  with some non- negligible probability Obviously, by repeating this procedure we can obtain such a vector with very high probabilityObviously, by repeating this procedure we can obtain such a vector with very high probability The essential idea:The essential idea:

Open Problems Cryptanalysis Cryptanalysis Current attacks limited to low dimension [NguyenStern98] Current attacks limited to low dimension [NguyenStern98] New systems [Ajtai05,R05] are efficient and can be easily used with dimension 100+ New systems [Ajtai05,R05] are efficient and can be easily used with dimension 100+ Improved cryptosystems Improved cryptosystems Construct the ‘ultimate’ lattice-based cryptosystem? (based on SVP, efficient) Construct the ‘ultimate’ lattice-based cryptosystem? (based on SVP, efficient) Construct more efficient schemes based on special classes of lattices? Construct more efficient schemes based on special classes of lattices?

Open Problems Comparison with number theoretic cryptography Comparison with number theoretic cryptography E.g., can one factor integers using an oracle for n-approximate SVP? E.g., can one factor integers using an oracle for n-approximate SVP? Signature schemes Signature schemes Can one construct provably secure lattice- based signature schemes? Can one construct provably secure lattice- based signature schemes? Security against chosen-ciphertext attacks Security against chosen-ciphertext attacks Known lattice-based cryptosystems are not secure against CCA Known lattice-based cryptosystems are not secure against CCA