750 likes | 1.2k Views
New Lattice Based Cryptographic Constructions. Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice is a 1 v 1 +…+a n v n for all integer a 1 ,…,a n . What is the shortest vector u ?. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. 3v 1 -4v 2.
E N D
Lattices • Basis: v1,…,vn vectors in Rn • The lattice is a1v1+…+anvn for all integer a1,…,an. • What is the shortest vector u ? v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0
3v1-4v2 Lattices – not so easy v1 v2 0
1 f(n) f(n)-unique-SVP (shortest vector problem) • Promise: the shortest vector u is shorter by a factor of f(n) • Algorithm for 2n-unique SVP [LLL82,Schnorr87] • Believed to be hard for any nc nc 2n 1 easy believed hard
History • Geometric objects with rich structure • Early work by Gauss 1801, Hermite 1850, Minkowski 1896 • More recent developments: • LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82] • Factoring rational polynomials • Solving integer programs in a fixed dimension • Breaking knapsack cryptosystems • Ajtai’s average case connection [Ajtai96] • Lattice based cryptosystems
Question • From which distribution is the following sequence taken? 478, 21, 431, 897, 150, 701, 929, 232 Uniform? Prob 1 1000 Prob Or wavy? 1 1000
The d,γ-wavy Distribution • Periodization of the normal distribution • R=2^(2n2) • Number of periods is d (usually integer) • Ratio of period to standard dev. is γ • distd : {0,…,R-1} [0,½] is the normalized distance from the nearest peak =γ d=7 Prob 0 R-1
Main Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)
Average-case Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions for a non-negligible fraction of values d in [2^(n2),2•2^(n^2)]
Applications of Main Theorem • Public key encryption scheme • Collision resistant hash function • A problem in quantum computation
Cryptography • ‘Standard’ cryptography: • Usually based on factoring, discrete log, principal ideal problem • Average case assumption • Mostly broken by quantum computers • Lattice based cryptography [Ajtai96,…]: • Based on lattice problems • Worst case assumption • Still not broken by quantum computers
Application 1Public Key Encryption (PKE) • Consists of private key, public key, encryption and decryption • The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97] • Previously, the only lattice based PKE with worst case assumption • Based on n7-unique Shortest Vector Problem
Application 1Public Key Encryption (PKE) • We construct a new lattice based PKE from the average-case theorem: • Very simple description • Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem • Uses integer numbers, very efficient
Application 2Collision Resistant Hash Function • A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., • xy s.t. f(x)=f(y) • Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02] • Our construction is • The first which is not based on Ajtai’s iterative step • Somewhat stronger (based on n1.5-uSVP)
Application 3 Quantum Computation • Quantum computers can break cryptography based on factoring [Shor96] • Based on the HSP on Abelian groups • What about lattice based cryptography?
Application 3 Quantum Computation • Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02] • Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]
Main Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction to:Decision Problem • Given a n1.5-unique lattice, and a prime p>n1.5 • Assume the shortest vector is: u = a1v1+a2v2+…+anvn • Decide whether a1 is divisible by p
The Reduction • Idea: decrease the coefficients of the shortest vector • If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn . • u is still in the new lattice: u = (a1/p)•pv1 + a2v2 + … + anvn • The same can be done whenever p|ai for some i
| The Reduction • But what if p ai for all i ? • Consider the basis v1,v2-v1,v3,…,vn • The shortest vector is u = (a1+a2)v1 + a2(v2-v1)+ a3v3 +… + anvn • The first coefficient is a1+a2 • Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2 • One of them is divisible by p, so we choose it and continue
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction from:Decision Problem • Given a n1.5-unique lattice, and a prime p>n1.5 • Assume the shortest vector is: u = a1v1+a2v2+…+anvn • Decide whether a1 is divisible by p
Reduction to:Promise Problem • Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n
| The reduction • Input: a basis (v1,…,vn) of a n1.5 unique lattice • Scale the lattice so that the shortest vector is of length 1/n • Replace v1 by pv1. Let M be the resulting lattice • If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n • If p a1 then M has shortest vector more than n
The input lattice L L 1/n n -u 0 u 2u
The lattice M • The lattice M is spanned by pv1,v2,…,vn: • If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn2M : M n 1/n 0 u
2 | The lattice M • The lattice M is spanned by pv1,v2,…,vn: • If p a1, then u M: M n -pu 0 pu
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction from:Promise Problem • Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n
n-dimensional distributions • Distinguish between the distributions: ? Uniform Wavy
Dual Lattice • Given a lattice L, the dual lattice is L* = { x | 8y2L, <x,y>2Z } 1/5 L L* 5 0 0
L* 0 n 0 L* - the dual of L L n Case 1 1/n 0 n Case 2
Reduction • Choose a point randomly from L* • Perturb it by a Gaussian of radius n
Creating the Distribution L* L*+ perturb 0 Case 1 n Case 2
Analyzing the Distribution • Theorem: (using [Banaszczyk’93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) • Therefore, Case 1: Determined by multiples of u wavy on hyperplanes orthogonal to u Case 2: Determined by the origin uniform
Proof of Theorem • For a set A in Rn,define: • Poisson Summation Formula implies: • Banaszczyk’s theorem: For any lattice L,
Proof of Theorem (cont.) • In Case 2, the distribution obtained is very close to uniform: • Because:
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
n-dimensional distributions • Distinguish between the distributions • Given by an oracle that returns points inside a cube of side length 2n ? Wavy Uniform
Main Theorem • Distinguish between the distributions: Uniform: 0 R-1 Wavy: 0 R-1
Reducing to 1-dimension • First attempt: sample and project to a line
Reducing to 1-dimension • But then we lose the wavy structure! • We should project only from points very close to the line
The solution • Use the periodicity of the distribution • Project on a ‘dense line’ :
The solution • We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1enwhere K is large enough • The distance between hyperplanes is n • The sides are of length 2n • Therefore, we choose K=2O(n) • Hence, d<O(Kn)=2^(O(n2))
Done n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Worst-case vs. Average-case • Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2) • For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]