1 / 36

Lattice-based Cryptography

Lattice-based Cryptography. Oded Regev Tel-Aviv University. CRYPTO 2006, Santa Barbara, CA. Introduction to lattices Survey of lattice-based cryptography Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function

ebock
Download Presentation

Lattice-based Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice-based Cryptography Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA

  2. Introduction to lattices • Survey of lattice-based cryptography • Hash functions [Ajtai96,…] • Public-key cryptography [AjtaiDwork97,…] • Construction of a simple lattice-based hash function • Open Problems Outline

  3. Lattice • For any vectors v1,…,vn in Rn, the lattice spanned by v1,…,vn is the set of points • L={a1v1+…+anvn| ai integers} • These vectors form a basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  4. History of Lattices • Geometric objects with rich structure • Investigated since 1800 by Lagrange, Gauss, Hermite, and Minkowski • More recent developments: • LLL algorithm: finds ‘somewhat short’ vectors in lattices [LenstraLenstraLovàsz82]. Applications include: • Factoring polynomials over the rationals • Solving integer programs in fixed dimension • Cryptanalysis: • Breaking knapsack cryptosystems [LagariasOdlyzko85] • Breaking special cases of RSA [Coppersmith01] • And more… • Ajtai’s lattice-based cryptographic construction[Ajtai96]

  5. Shortest Vector Problem (SVP) v2 • SVP: given a lattice, find a shortest (nonzero) vector • -approximate SVP: given a lattice, find a vector of length at most  times the shortest • Other lattice problems: SIVP, SBP, etc. v1 3v2-4v1 0

  6. Lattice Problems Seem Hard • We’ll be interested in -approximate SVP for =poly(n) • Best known algorithm runs in time 2n [AjtaiKumarSivakumar01] • On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] • Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85] • NP-hard for sub-polynomial  [Khot04] 2^(log1-en) 1 n n 2n loglogn/logn  crypto NP∩coNP P NP-hard

  7. Survey of Lattice-based Cryptography

  8. Why use lattice-based cryptography • Lattice-based cryptography • Based on hardness of lattice problems • Based on a worst-case assumption • (Still) Not broken by quantum algorithms • Very simple computations • ‘Standard’ cryptography • Based on hardness of factoring, discrete log, etc. • Based on an average-case assumption • Broken by quantum algorithms • Require modular exponentiation etc.

  9. Collision-Resistant Hash Functions • A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) • First lattice-based CRHF given in [Ajtai96] • Based on the worst-case hardness of n8-approximate SVP • Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] • Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04]

  10. The Modular Subset-Sum Function • Let N be a big integer, and m=2log2N • Choose a1,…,am uniformly in {0,…,N-1}. Then define fa1,…,am:{0,1}m{0,…,N-1} by • fa1,…,am(b1,…,bm) = Σbiai mod N • Since m>log2N, (many) collisions exist • We will later see a proof of security: • Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP

  11. Recent Work: More Efficient CRHFs • In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function • More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] • Only O(n) bits needed to specify a hash function • Based on worst-case hardness of approximate-SVP on a restricted class of lattices known as cyclic lattices

  12. Public-key Cryptosystem • A PKC allows parties to communicate securely without having to agree on a secret key beforehand • First lattice-based PKC presented in [AjtaiDwork97] • Some improvements [GoldreichGoldwasserHalevi97, R03] • Security based on the worst-case hardness of a special case of SVP known as unique-SVP • Some disadvantages: • Based only on unique-SVP • Impractical (think of n as100): • Public key size O(n4) • Encryption expands by O(n2)

  13. Main advantages: • Practical (think of n as100): • Public key size O(n) • Encryption expands by O(n) • Some disadvantages: • Not based on lattice problems • No worst-case hardness A Recent Public-key Cryptosystem [Ajtai05]

  14. Main advantages: • Practical (think of n as100): • Public key size O(n) • Encryption expands by O(n) • Worst-case hardness • Based on the main lattice problems (SVP, SIVP) • One disadvantage: • Breaking the cryptosystem implies an efficient quantum algorithm for lattices Another Recent Public-key Cryptosystem[R05]

  15. Everything modulo 4 • Private key: 4 random numbers 1203 • Public key: a 6x4 matrix and approximate inner product • Encrypt the bit 0: • Encrypt the bit 1: 3·? + 2·? + 1·? + 0·? ≈1 Example of a lattice-based PKC [R05] 2·1 + 0·2 + 1·0 + 2·3 ≈1 1·1 + 2·2 + 2·0 + 3·3 ≈2 0·1 + 2·2 + 0·0 + 3·3 ≈1 1·1 + 2·2 + 0·0 + 2·3 ≈0 0·1 + 3·2 + 1·0 + 3·3 ≈3 3·1 + 3·2 + 0·0 + 2·3 ≈2 2 0 1 2 1 2 2 3 0 2 0 3 1 2 0 2 0 3 1 3 3 3 0 2 2·? + 0·? + 1·? + 2·? ≈1 1·? + 2·? + 2·? + 3·? ≈2 0·? + 2·? + 0·? + 3·? ≈1 1·? + 2·? + 0·? + 2·? ≈0 0·? + 3·? + 1·? + 3·? ≈3 3·? + 3·? + 0·? + 2·? ≈2 2·1 + 0·2 + 1·0 + 2·3 =0 1·1 + 2·2 + 2·0 + 3·3 =2 0·1 + 2·2 + 0·0 + 3·3 =1 1·1 + 2·2 + 0·0 + 2·3 =3 0·1 + 3·2 + 1·0 + 3·3 =3 3·1 + 3·2 + 0·0 + 2·3 =3 3·? + 2·? + 1·? + 0·? ≈3

  16. Construction of a Lattice-based Collision Resistant Hash Function

  17. Blurring a Picture

  18. Blurring a Lattice

  19. Blurring a Lattice

  20. Blurring a Lattice

  21. Blurring a Lattice

  22. Blurring a Lattice

  23. The Smoothing Radius • Define the smoothing radius=(L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distribution • The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] • It was shown that  is ‘small’ in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP

  24. An Alternative Definition • Define h:Rn[0,1)n that maps any x=Σivi to • h(x)=(1,…,n) mod 1. • E.g., any xL has h(x)=(0,…,0) • Then the alternative way to define  is as: • The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1)n

  25. x2 x1 x4 x3 Rn [0,1)n (1,1) (0,1) h(x2) h(x3) 0 h(x1) h(x4) (0,0) (1,0)

  26. Our CRHF • Fix the dimension n, let q=22n, and m=4n2 • Choose a1,…,am uniformly in Zqn. Then define fa1,…,am:{0,1}m{0,1}nlog2q by • fa1,…,am(b1,…,bm) = Σbiai (mod q) • Since m>nlog2q, (many) collisions exist • We now prove security by showing that: • Being able to find a collision in a randomly chosen fa1,…,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP

  27. Security Proof • Assume there exists an algorithm CollisionFind that given a1,…,am chosen uniformly in Zqn, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that • Σbiai = 0 (mod q). • This implies an algorithm CollisionFind’that given a1,…,amchosen uniformly from [0,1)n, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that • Σbiai  (0,…,0) (mod 1) • (up to m/q in each coordinate)

  28. CollisionFind’ (1,1) (0,1) a2 a3 a4 a1 a5 a6 (0,0) (1,0) Output: “a1+a2-a4+a5(0,…,0) (mod 1)”

  29. Security Proof • Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)(L) in any given lattice L • So let L be a given lattice with basis v1,…,vn • By using the LLL algorithm, we can assume that v1,…,vn are not ‘unreasonably’ long: say, of length at most 2n(L)

  30. Security Proof – Main Procedure • Sample m vectors x1,…,xm from the Gaussian distribution around 0 of radius  • Compute a1:=h(x1),…,am:=h(xm) • Each ai is uniformly distributed in [0,1)n • Apply CollisionFind’ to obtain b1,…,bm  {-1, 0,1} such that • Σbih(xi) (m/q,…,m/q) (mod 1) • Define y=Σbixi. Then, • y is short (of length m) • y is extremely close to a lattice point since h(y)=Σbih(xi)(m/q,…,m/q) (mod 1)

  31. Security Proof – Main Procedure • Write y=Σivi for some reals 1,…,n • So each iis within m/q of an integer • Define the lattice vector y’=Σivi • The distance • So y’ is a lattice vector of length at most (m+1)

  32. x2 x1 x4 x3 Y’ 0 y CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”

  33. Security Proof – One Last Issue • How to guarantee that y’ is nonzero? • Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero • It can be shown that ai does not contain enough information about xi • In other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y’ is nonzero with very high probability

  34. Security Proof – Conclusion • By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability • Obviously, by repeating this procedure we can obtain such a vector with very high probability • The essential idea: All lattices look the same after adding some small amount of blur

  35. Open Problems • Cryptanalysis • Current attacks limited to low dimension [NguyenStern98] • New systems [Ajtai05,R05] are efficient and can be easily used with dimension 100+ • Improved cryptosystems • Construct the ‘ultimate’ lattice-based cryptosystem? (based on SVP, efficient) • Construct more efficient schemes based on special classes of lattices?

  36. Open Problems • Comparison with number theoretic cryptography • E.g., can one factor integers using an oracle for n-approximate SVP? • Signature schemes • Can one construct provably secure lattice-based signature schemes? • Security against chosen-ciphertext attacks • Known lattice-based cryptosystems are not secure against CCA

More Related