1 / 52

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011). La Cryptographie R eposant sur les Réseaux : de la Pratique à la Théorie à la Pratique Vadim Lyubashevsky INRIA / CNRS / ENS Paris

adsila
Download Presentation

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice-Based Cryptography: From Practice to Theory to Practice VadimLyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

  2. La CryptographieReposantsurles Réseaux: de la Pratique à la Théorie à la Pratique VadimLyubashevsky INRIA / CNRS / ENS Paris (Septembre12, 2011)

  3. Lattice-Based Encryption Schemes • NTRU [Hoffstein, Pipher, Silverman ‘98] • LWE-Based [Regev ‘05] • Ring-LWE Based [L, Peikert, Regev ’10] • “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]

  4. CryptosystèmesReposantsur les Réseaux • NTRU [Hoffstein, Pipher, Silverman ‘98] • Reposantsur LWE [Regev ‘05] • ReposantsurAnneau-LWE [L, Peikert, Regev ’10] • “NTRU” avec unepreuve de la sécurité [Stehle, Steinfeld ‘11]

  5. Subset Sum Problem • Subset-Sum Based [L, Palacio, Segev ‘10] • LWE-Based [Regev ‘05] • Ring-LWE Based [L, Peikert, Regev ’10] • “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11] • NTRU [Hoffstein, Pipher, Silverman ‘98]

  6. Part 0.The Subset Sum Problem

  7. ai ,T in ZM ai are chosen randomly T is a sum of a random subset of the ai a1 a2 a3 … anT Find a subset of ai's that sums to T (mod M) Subset Sum Problem

  8. ai ,T in Z49 ai are chosen randomly T is a sum of a random subset of the ai 15 31 24 3 1411 15 + 31 + 14=11(mod 49) Subset Sum Problem

  9. ai ,T in ZM a1 a2 a3 … anT Find a subset of ai's that sums to T (mod M) Hardness Depends on: Size of n and M Relationship between n and M How Hard is Subset Sum?

  10. Complexity of Solving Subset Sum M 2log²(n) 2n 2n log(n) 2n² poly(n) 2Ω(n) poly(n) run-time “generalized birthday attacks” [FlaPrz05,Lyu06,Sha08] “lattice reduction attacks” [LagOdl85,Fri86]

  11. Subset Sum Crypto • Why? • Simple operations • Exponential hardness • Seems very different from number theoretic assumptions • Seems to resist quantum attacks

  12. Subset Sum is “Pseudorandom” • [Impagliazzo-Naor 1989]: • For random a1,...,an in ZM and random x1,...,xn in {0,1} • distinguishing the distribution • (a1,...,an, a1x1+...+anxn mod M) • from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xn

  13. Part 1.Cryptosystem Based on Subset Sum[L, Palacio, Segev 2010]

  14. Public Key Encryption Allows for secure communication between parties who have previously never met

  15. Public Key Encryption public key: p secret key: s Encrypt, Decrypt Decrypt(s,Encrypt(p,M))=M c=Encrypt(p,M) M=Decrypt(s,c)

  16. Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. c=Encrypt(p,M)

  17. Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. But what about other information about the message? c=Encrypt(p,M), c=Encrypt(p,M) E.g. If adversary can figure out that the same message was sent twice, is the scheme “secure”?

  18. Public Key Encryption What does “secure” mean? Semantic Security: For every 2 messages M, M', it's impossible to distinguish Encrypt(p,M) from Encrypt(p,M') in polynomial time The Encrypt algorithm must be randomized!

  19. Subset Sum Cryptosystem • Semantically secure based on Subset Sum for M ≈ nn • Main tools Subset sum is pseudo-random Addition in (Zq)n is “kind of like” addition in ZM where M=qn • The proof is very simple

  20. Want to add 4679+3907+8465+1343 mod 104 4 6 7 9 3 9 0 7 8 4 6 5 1 3 4 3 Facts About Addition 2 1 2 4 6 7 9 3 9 0 7 8 4 6 5 1 3 4 3 6 2 7 4 8 3 9 4 Adding n numbers (written in base q) modulo qm → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i.e. in ZM) (i.e. in (Zq)n )

  21. So... 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 1 1 0 1 2 1 1 0 + = 8 1 1 9 0 2 2 9 = NOT Pseudorandom! Pseudorandom based on Subset Sum!

  22. Column Subset Sum Addition Is Also Pseudorandom 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 1 1 1 0 0 9 8 0 + =

  23. “Hybrid” Subset Sum Addition Is Also Pseudorandom 4 6 7 9 0 3 9 0 7 9 8 4 6 5 8 1 6 4 3 0 1 0 0 1 pseudorandom 1 1 1 0 0 + 6 3 2 2 0 =

  24. Encryption Scheme (for 1 bit) A s t A t r + = {0,1}n + Zqn x n {0,1}n = u v Public Key

  25. Encryption Scheme A s t A t r + = + = u v Is pseudo-random based on the hardness of the subset sum problem

  26. Encryption Scheme A s t A t r + = + = u v = + v A A s s r r + + = A A s s r

  27. Encryption Scheme A s t A t r + = + = u v + = A r s s u + ≈ = v s A r

  28. Encryption Scheme A s t A t r + = + = u v Encryption of 0 - = s u v

  29. Encryption Scheme A s t A t r + = + = u v + Encryption of 1 0 q/2 = - + = v’ q/2 s u v’ u

  30. Part 2.Cryptosystem Based on Learning With Errors andWorst-Case Lattice Problems[Regev 2005]

  31. Encryption Scheme(what we needed) A s t A t r + = + = “small” u v Pseudorandom

  32. Picking the “Carries” • In Subset Sum: carries were deterministic • What if … we pick the “carries” at random from some distribution?

  33. So... 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 2 3 0 1 2 1 1 0 + 1 3 2 1 + 0 2 2 9 = 7 2 0 3 = Pseudorandom based on Subset Sum! Pseudorandom based on LWE and worst-case lattice problems [Reg ‘05] (with a lemma from [ACPS ‘09])

  34. Learning With Errors (LWE) Problem a1 . . . s e b a2 + = am Given aiand<ai,s>+eifind s. (eiand s are “small”) (Once there are enough ai , the s is uniquely determined) Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.

  35. Decision LWE Problem World 1 World 2 a1 a1 . . . b . . . s e b a2 a2 + = am am uniformly random in Zpm Lemma[Reg ’05]: Search-LWE < Decision-LWE

  36. LWE vs. Subset Sum • The Subset Sum assumption has deterministic “noise” • The LWE assumption is more “versatile” LWE Problem Subset Sum Problem a1 . . . s e b s b a2 EASY !! a1 a2 … an n2 + = n2 + = am n n

  37. LWE / Subset Sum Encryption A s t A t r + = + = u v

  38. Part 3.Cryptosystem Based on Learning With Errors over Rings andWorst-Case Ideal Lattice Problems[L, Peikert, Regev 2010]

  39. Source of Inefficiency of LWE Getting just one extra random-looking number requires n random numbers and a small error element. 2 8 7 3 1 2 1 + = * 0 2 1 Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 1 8 0 + = * 7 2 3 1

  40. Use Polynomials • f(x) is a polynomial xn+ an-1xn-1 + … + a1x + a0 • R = Zp[x]/(f(x)) is a polynomial ring with • Addition mod p • Polynomial multiplication mod p and f(x) • Each element of R consists of n elements in Zp • In R: • small+small = small • small*small = small (depending on f(x) )

  41. Polynomial Interpretation of the LWE-based cryptosystem a s + = t r a + = u + r t = v Public Key v - u s = + - r a + s r t + - r a s + r a + s + r - s =

  42. Security a s + = t r a + = u + r t = v Pseudorandom??

  43. Learning With Errors over Rings a1 s e1 b1 a2 e2 b2 a3 e3 b3 + = … … … am em bm Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x))

  44. Decision Learning With Errors over Rings World 1 World 2 a1 s b1 a1 b1 a2 b2 a2 b2 a3 b3 a3 b3 + = … … … … am bm am bm Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE

  45. Use Polynomials in Zp[x]/(f(x)) a s + = t r a + = u + r t = v

  46. Part 4.1-Element Cryptosystem Based on Learning With Errors over Rings andWorst-Case Ideal Lattice Problems[Stehle, Steinfeld 2011]

  47. Number of Ring Elements a s + = t r a + = u + r t = v p Encryption of m: u v + m , 2 Can you have a ciphertext with just 1 ring element?

  48. Stehle, Steinfeld Cryptosystem “small” coefficients f a u a r + + m mod p = = 2 mod p g Uniformly random Pseudorandom based on Ring-LWE u g f r + g + g m = 2 u g mod 2 = g m u g mod 2 m = g

  49. Part 5.NTRU Cryptosystem[Hoffstein, Pipher, Silverman 1998]

  50. NTRU Cryptosystem f g - Very small f a u a r + + m mod p = = 2 mod p g “looks” random If a is random, then pseudorandom based on Ring-LWE u g f r + g + g m = 2 Since f, g are smaller, p can be smaller as well

More Related