Lattice-Based Cryptography

Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional Diffie-Hellman problem is hard Problems involving Elliptic Curves are hard  Many assumptions

Why Do We Need More Assumptions? Number theoretic functions are rather slow Factoring, Discrete Log, Elliptic curves are “of the same flavor” Quantum computers break all number theoretic assumptions

Lattice-Based Cryptography Seemingly very different assumptions from factoring, discrete log, elliptic curves Simple descriptions and implementations Very parallelizable Resists quantum attacks (we think) Security based on worst-case problems

Average-Case Assumptions vs. Worst-Case Assumptions Example: Want to base a scheme on factoring  Need to generate a “hard-to-factor” N  How?  Need a “hard distribution”

Picking a Hard-to-Factor N How do you pick a “good” N? Just pick p,q as random large primes and set N=pq? (1978) Largest prime factors of p-1,q-1 should be large (1981) p+1 and q+1 should have a large prime factor (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors...

Picking a Hard-to-Factor N Need to know a probability distribution over Z such that picking an N according to it will make N hard to factor Wishful thinking: There is a distribution D such that factoring in the worst case reduces to factoring numbers chosen according to D

Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

BDD Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case SIVP quantum

Small Integer Solution Problem a1a1 a2a2 amam in Z q n Find: non-trivial solution z 1,...,z m in {-1,0,1} such that: z1z1 z2z2 zmzm ++ … + = 0 Given: Random vectors a 1,...,a m in Z q n Observations: If size of z i is not restricted, then the problem is trivial Immediately implies a collision-resistant hash function

Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

Collision-Resistant Hash Function a1a1 a2a2 amam in Z q n Find: non-trivial solution z 1,...,z m in {-1,0,1} such that: z1z1 z2z2 zmzm ++ … + = 0 Given: Random vectors a 1,...,a m in Z q n A=(a 1,...,a m ) Define h A : {0,1} m → Z q n where h A (z 1,...,z m )=a 1 z 1 + … + a m z m Domain of h = {0,1} m (size = 2 m ) Range of h = Z q n (size = q n ) Set m>nlog q to get compression Collision: a 1 z 1 + … + a m z m = a 1 y 1 + … + a m y m So, a 1 (z 1 -y 1 ) + … + a m (z m -y m ) = 0 and z i -y i are in {-1,0,1}

BDD Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case SIVP

For Any Lattice... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point

One-Dimensional Gaussian Distribution

Two-Dimensional Gaussian Distribution Image courtesy of wikipedia

Gaussians on Lattice Points Image courtesy of Oded Regev

Gaussians on Lattice Points Image courtesy of Oded Regev

Gaussians on Lattice Points Image courtesy of Oded Regev

Gaussians on Lattice Points Image courtesy of Oded Regev

Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution

Worst-Case to Average-Case Reduction

Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0 n in n dimensional lattices)

How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point

How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point

How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Z q n

How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0

Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0 = s i = v i s 1 z s m z m is a lattice vector (v 1 +r 1 )z (v m +r m )z m is a lattice vector (v 1 z v m z m ) + (r 1 z r m z m ) is a lattice vector So r 1 z r m z m is a lattice vector v i + r i = s i

Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0 = s i = v i So r 1 z r m z m is a lattice vector r i are short vectors, z i are in {-1,0,1} So r 1 z r m z m is a short lattice vector v i + r i = s i

Some Technicalities You can’t sample a “uniformly random” lattice point  In the proofs, we work with R n / L rather than R n  So you don't need to sample a random point lattice point What if r 1 z r m z m is 0?  Can show that with high probability it isn't  Given an s i, there are multiple possible r i Gaussian sampling doesn’t give us points on the grid  You can round to a grid point  Must be careful to bound the “rounding distance”