370 likes | 381 Views
Lattice-Based Cryptography. Lattice Problems. Worst-Case. Average-Case. Learning With Errors Problem (LWE). Small Integer Solution Problem (SIS). One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt). Public Key Encryption
E N D
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Learning With Errors Problem Find the secret s a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq
(Decisional) Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq
LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)
LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g≠<v,s>, then g=<v,s>+g' (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg') =(a+rv,<a+rv,s>+e+rg') r is independent of a+rv, s, e so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q
Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)
LearningWith Errors Problem A s e b + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random
Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)
Proof of Semantic Security r A r b A s e b + z(q/2) + = If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z
Decryption n r A r b A s e b + z(q/2) + m = Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
Lattices in Practice • Lattices have some great features • Very strong security proofs • The schemes are fairly simple • Relatively efficient • But there is a major drawback • Schemes have very large keys
Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am z1 z2 zm + + … + h(z1...zm) = Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem • (Textbook) RSA: • Key-size: ≈ 2048 bits • Ciphertext length (2048 bit message): ≈ 2048 bits • LWE-based scheme: • Key-size: ≈ 600,000 bits • Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 n h(z) = 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 m 1 1 0 Require O(mn) storage Computing the function takes O(mn) time
A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 0 n 2 7 4 1 1 13 10 7 0 1 2 7 4 7 1 13 10 1 0 m 1 1 0 Now A only requires m storage Az can be computed faster as well
A More Efficient Idea z A 4 1 2 7 10 7 1 13 4 1 2 7 10 7 1 13 1 1 0 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 0 0 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 0 0 1 1 2 7 4 7 1 13 10 1 2 7 4 7 1 13 10 1 1 0 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Interlude: What is Zp[x]/(xn-1)? • Z = integers • Zp=integers modulo p • Zp[x] = polynomials with coefficients in Zp • Example if p=3: 1+x, 2+x2+x1001 • Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp • Example if p=3 and n=4: 1+x, 2+x+x2
Operations in Zp[x]/(xn-1)? • Addition: • Addition of polynomials modulo p • Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 • Multiplication: • Polynomial multiplication modulo p and xn-1 • Example if p=3 and n=4: (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3
A More Efficient Idea z A 4 1 2 7 10 7 1 13 4 1 2 7 10 7 1 13 1 1 0 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 0 0 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 0 0 1 1 2 7 4 7 1 13 10 1 2 7 4 7 1 13 10 1 1 0 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT
Great, a Better Hash Function! Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!
But Is it Hard to Find Collisions? z A 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m NO!
Finding Collisions D R h h R' D'
Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q
Finding Collisions 4 1 2 7 0 0 7 4 1 2 0 0 = 2 7 4 1 0 0 1 2 7 4 0 0 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14
Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q
Collision-Resistant Hash Function Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm in Zqn + + … + = A=(a1,...,am) Define hA: {0,1}m→ Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq
But … z r A = 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 = n 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 m Theorem: For a random r in Zqn, it ishard to find a z with coefficients in {-1,0,1} such that Az mod q=r
Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions
Cyclic Lattices A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1
Cyclic Lattices=Ideals in Z[x]/(xn-1) A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1
(xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideallatticeif: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1
What About Hash Functions? z A 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m Not Collision-Resistant
A “Simple” Modification z A 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 m Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0
Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)
1 2 3 4 -7 -2 3 6 -6 0 6 10 1 2 3 4 -1 -2 -3 -4 -1 1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 4 -4 -4 -4 -4 -4 1 2 3 -3 -1 -1 2 -4 2 3 3 1 -4 -4 2 -1 -1 -1 -1 -1 -2 2 -3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 1 -4 (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L + = 2.) For all v in L, -v is also in L 3.) For all v in L, its “negative rotation” is also in L
So How Efficient are the Ideal Lattice Constructions? • Collision-resistant hash functions • More efficient than any other provably-secure hash function • Almost as efficient as the ones used in practice • Can only prove collision-resistance • Signature schemes • Theoretically, very efficient • In practice, efficient • Key length ≈ 20,000 bits • Signature length ≈ 50,000 bits