390 likes | 704 Views
Lattice-Based Cryptography. Cryptographic Hardness Assumptions. Factoring is hard Discrete Log Problem is hard Diffie-Hellman problem is hard Decisional Diffie-Hellman problem is hard Problems involving Elliptic Curves are hard Many assumptions. Why Do We Need More Assumptions?.
E N D
Cryptographic Hardness Assumptions • Factoring is hard • Discrete Log Problem is hard • Diffie-Hellman problem is hard • Decisional Diffie-Hellman problem is hard • Problems involving Elliptic Curves are hard • Many assumptions
Why Do We Need More Assumptions? • Number theoretic functions are rather slow • Factoring, Discrete Log, Elliptic curves are “of the same flavor” • Quantum computers break all number theoretic assumptions
Lattice-Based Cryptography • Seemingly very different assumptions from factoring, discrete log, elliptic curves • Simple descriptions and implementations • Very parallelizable • Resists quantum attacks (we think) • Security based on worst-case problems
Average-Case Assumptions vs.Worst-Case Assumptions • Example: Want to base a scheme on factoring • Need to generate a “hard-to-factor” N • How? • Need a “hard distribution”
Picking a Hard-to-Factor N • How do you pick a “good” N? • Just pick p,q as random large primes and set N=pq? • (1978) Largest prime factors of p-1,q-1 should be large • (1981) p+1 and q+1 should have a large prime factor • (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors • (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors • ...
Picking a Hard-to-Factor N • Need to know a probability distribution over Z such that picking an N according to it will make N hard to factor • Wishful thinking: There is a distribution D such that factoring in the worst case reduces to factoring numbers chosen according to D
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
SIVP BDD Worst-Case quantum Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm + + … + = in Zqn • Observations: • If size of zi is not restricted, then the problem is trivial • Immediately implies a collision-resistant hash function
SIVP BDD Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
For Any Lattice ... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point
Two-Dimensional Gaussian Distribution Image courtesy of wikipedia
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution
Worst-Case to Average-Case Reduction 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0n in n dimensional lattices)
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Zqn
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 s1z1+...+smzm is a lattice vector (v1+r1)z1+...+(vm+rm)zm is a lattice vector (v1z1+...+vmzm)+ (r1z1+...+rmzm) is a lattice vector So r1z1+...+rmzm is a lattice vector = vi = si vi + ri = si
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi So r1z1+...+rmzm is a lattice vector ri are short vectors, zi are in {-1,0,1} So r1z1+...+rmzm is a short lattice vector = si vi + ri = si
Some Technicalities • You can’t sample a “uniformly random” lattice point • In the proofs, we work with Rn / L rather than Rn • So you don't need to sample a random point lattice point • What if r1z1+...+rmzm is 0? • Can show that with high probability it isn't • Given an si, there are multiple possible ri • • Gaussian sampling doesn’t give us points on the grid • You can round to a grid point • Must be careful to bound the “rounding distance”