Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional."— Presentation transcript:

1 Lattice-Based Cryptography

2 Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional Diffie-Hellman problem is hard Problems involving Elliptic Curves are hard  Many assumptions

3 Why Do We Need More Assumptions? Number theoretic functions are rather slow Factoring, Discrete Log, Elliptic curves are “of the same flavor” Quantum computers break all number theoretic assumptions

4 Lattice-Based Cryptography Seemingly very different assumptions from factoring, discrete log, elliptic curves Simple descriptions and implementations Very parallelizable Resists quantum attacks (we think) Security based on worst-case problems

5 Average-Case Assumptions vs. Worst-Case Assumptions Example: Want to base a scheme on factoring  Need to generate a “hard-to-factor” N  How?  Need a “hard distribution”

6 Picking a Hard-to-Factor N How do you pick a “good” N? Just pick p,q as random large primes and set N=pq? (1978) Largest prime factors of p-1,q-1 should be large (1981) p+1 and q+1 should have a large prime factor (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors...

7 Picking a Hard-to-Factor N Need to know a probability distribution over Z such that picking an N according to it will make N hard to factor Wishful thinking: There is a distribution D such that factoring in the worst case reduces to factoring numbers chosen according to D

8 Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

9 Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

10 Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

11 Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

12 Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

13 BDD Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case SIVP quantum

14 Small Integer Solution Problem a1a1 a2a2 amam in Z q n Find: non-trivial solution z 1,...,z m in {-1,0,1} such that: z1z1 z2z2 zmzm ++ … + = 0 Given: Random vectors a 1,...,a m in Z q n Observations: If size of z i is not restricted, then the problem is trivial Immediately implies a collision-resistant hash function

15 Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case

16 Collision-Resistant Hash Function a1a1 a2a2 amam in Z q n Find: non-trivial solution z 1,...,z m in {-1,0,1} such that: z1z1 z2z2 zmzm ++ … + = 0 Given: Random vectors a 1,...,a m in Z q n A=(a 1,...,a m ) Define h A : {0,1} m → Z q n where h A (z 1,...,z m )=a 1 z 1 + … + a m z m Domain of h = {0,1} m (size = 2 m ) Range of h = Z q n (size = q n ) Set m>nlog q to get compression Collision: a 1 z 1 + … + a m z m = a 1 y 1 + … + a m y m So, a 1 (z 1 -y 1 ) + … + a m (z m -y m ) = 0 and z i -y i are in {-1,0,1}

17 BDD Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania) Worst-Case Average-Case SIVP

18 For Any Lattice... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point

19 One-Dimensional Gaussian Distribution

20 Two-Dimensional Gaussian Distribution Image courtesy of wikipedia

21 Gaussians on Lattice Points Image courtesy of Oded Regev

22 Gaussians on Lattice Points Image courtesy of Oded Regev

23 Gaussians on Lattice Points Image courtesy of Oded Regev

24 Gaussians on Lattice Points Image courtesy of Oded Regev

25 Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution

26 Worst-Case to Average-Case Reduction

27

28 0120211201 0 1 2 0 1 2 0 1 2 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0 n in n dimensional lattices)

29 0120211201 0 1 2 0 1 2 0 1 2 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point

30 0120211201 0 1 2 0 1 2 0 1 2 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point

31 0120211201 0 1 2 0 1 2 0 1 2 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Z q n

32 0120211201 0 1 2 0 1 2 0 1 2 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0

33 0120211201 0 1 2 0 1 2 0 1 2 Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0 = s i = v i s 1 z 1 +...+s m z m is a lattice vector (v 1 +r 1 )z 1 +...+(v m +r m )z m is a lattice vector (v 1 z 1 +...+v m z m ) + (r 1 z 1 +...+r m z m ) is a lattice vector So r 1 z 1 +...+r m z m is a lattice vector v i + r i = s i

34 0120211201 0 1 2 0 1 2 0 1 2 Give the m “Z q n samples” a 1,...,a m to the SIS oracle Oracle outputs z 1,...,z m in {-1,0,1} such that a 1 z 1 + … + a m z m = 0 = s i = v i So r 1 z 1 +...+r m z m is a lattice vector r i are short vectors, z i are in {-1,0,1} So r 1 z 1 +...+r m z m is a short lattice vector v i + r i = s i

35 Some Technicalities You can’t sample a “uniformly random” lattice point  In the proofs, we work with R n / L rather than R n  So you don't need to sample a random point lattice point What if r 1 z 1 +...+r m z m is 0?  Can show that with high probability it isn't  Given an s i, there are multiple possible r i Gaussian sampling doesn’t give us points on the grid  You can round to a grid point  Must be careful to bound the “rounding distance”

Download ppt "Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional."

Similar presentations

Lattice-based Cryptography

Lattice-based Cryptography
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
7. Asymmetric encryption-

7. Asymmetric encryption-
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Lattice-Based Cryptography

Lattice-Based Cryptography
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Similar presentations

Ads by Google