Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-Based Cryptography

Similar presentations


Presentation on theme: "Lattice-Based Cryptography"— Presentation transcript:

1 Lattice-Based Cryptography

2 Small Integer Solution Problem (SIS) Learning With Errors
Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

3 Learning With Errors Problem
Find the secret s a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq

4 (Decisional) Learning With Errors Problem
Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 a1, b1 a2, b2 s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq

5 LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq
v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)

6 LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq
v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g≠<v,s>, then g=<v,s>+g' (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg') =(a+rv,<a+rv,s>+e+rg') r is independent of a+rv, s, e so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q

7 Learning With Errors Problem
. . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)

8 Learning With Errors Problem
+ = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random

9 Public Key Encryption Based on LWE
Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)

10 Proof of Semantic Security
b r A r b + = + z(q/2) If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z

11 Decryption A s e b r A r b + = n m
+ z(q/2) Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

12 Lattices in Practice Lattices have some great features
Very strong security proofs The schemes are fairly simple Relatively efficient But there is a major drawback Schemes have very large keys

13 Hash Function Description of the hash function: a1,...,am in Zqn
Input: Bit-string z1...zm in {0,1}: a1 a2 am h(z1...zm) = z1 + z2 + … + zm Sample parameters: n=64, m=1024, p=257 Domain size: (1024 bits) Range size: (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits

14 Public-Key Cryptosystem
(Textbook) RSA: Key-size: ≈ 2048 bits Ciphertext length (2048 bit message): ≈ bits LWE-based scheme: Key-size: ≈ 600,000 bits Ciphertext length (2048 bit message): ≈ 40,000 bits

15 Source of Inefficiency
z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 h(z) = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 m 1 1 Require O(mn) storage Computing the function takes O(mn) time

16 A More Efficient Idea z A Now A only requires m storage
4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 1 m 1 1 Now A only requires m storage Az can be computed faster as well

17 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
A More Efficient Idea A z 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

18 Interlude: What is Zp[x]/(xn-1)?
Z = integers Zp=integers modulo p Zp[x] = polynomials with coefficients in Zp Example if p=3: 1+x, 2+x2+x1001 Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp Example if p=3 and n=4: 1+x, 2+x+x2

19 Operations in Zp[x]/(xn-1)?
Addition: Addition of polynomials modulo p Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 Multiplication: Polynomial multiplication modulo p and xn-1 (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x = 2+3x2+x3+1+x = x+x3

20 A More Efficient Idea z A
4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT

21 Great, a Better Hash Function!
Sample parameters: n=64, m=1024, p=257 Domain size: (1024 bits) Range size: (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

22 But Is it Hard to Find Collisions?
z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m NO!

23 Finding Collisions D R h h R' D'

24 Finding Collisions in Zqn = +
4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q

25 Finding Collisions 4 1 2 7 7 4 1 2 = 2 7 4 1 1 2 7 4 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14

26 Finding Collisions = in Zqn +
4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 = in Zqn + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q

27 Collision-Resistant Hash Function
Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq

28 But … A z = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 n = 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 m Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r

29 Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions

30 Cyclic Lattices A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

31 Cyclic Lattices=Ideals in Z[x]/(xn-1)
A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

32 (xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

33 What About Hash Functions?
z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m Not Collision-Resistant

34 A “Simple” Modification
z 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 m Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

35 Small Integer Solution Problem (SIS)
Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)

36 (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L 4 3 2 1 + 6 3 -2 -7 = 10 6 -6 2.) For all v in L, -v is also in L 4 3 2 1 -4 -3 -2 -1 3.) For all v in L, its “negative rotation” is also in L -4 3 2 -1 4 1 3 2 1 -4 -4 3 2 -1 1 -3 -4 3 2 -1 1 -3 -2

37 So How Efficient are the Ideal Lattice Constructions?
Collision-resistant hash functions More efficient than any other provably-secure hash function Almost as efficient as the ones used in practice Can only prove collision-resistance Signature schemes Theoretically, very efficient In practice, efficient Key length ≈ 20,000 bits Signature length ≈ 50,000 bits


Download ppt "Lattice-Based Cryptography"

Similar presentations


Ads by Google