1.01k likes | 1.37k Views
Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009. Cryptographic Hardness Assumptions. Factoring is hard Discrete Log Problem is hard Diffie-Hellman problem is hard Decisional Diffie-Hellman problem is hard
E N D
Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009
Cryptographic Hardness Assumptions • Factoring is hard • Discrete Log Problem is hard • Diffie-Hellman problem is hard • Decisional Diffie-Hellman problem is hard • Problems involving Elliptic Curves are hard • Many assumptions
Why Do We Need More Assumptions? • Number theoretic functions are rather slow • Factoring, Discrete Log, Elliptic curves are “of the same flavor” • Quantum computers break all number theoretic assumptions
Lattice-Based Cryptography • Seemingly very different assumptions from factoring, discrete log, elliptic curves • Simple descriptions and implementations • Very parallelizable • Resists quantum attacks (we think) • Security based on worst-case problems
Average-Case Assumptions vs.Worst-Case Assumptions • Example: Want to base a scheme on factoring • Need to generate a “hard-to-factor” N • How? • Need a “hard distribution” • Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Lattices Lattice: A discrete additive subgroup of Rn
Lattices Basis: A set of linearly independent vectors that generate the lattice.
Lattices Basis: A set of linearly independent vectors that generate the lattice.
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors
Bounded Distance Decoding(BDD) Given a target vector that's close to the lattice, find the nearest lattice vector
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
SIVP BDD Worst-Case quantum Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm + + … + = in Zqn • Observations: • If size of zi is not restricted, then the problem is trivial • Immediately implies a collision-resistant hash function
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Collision-Resistant Hash Function Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm in Zqn + + … + = A=(a1,...,am) Define hA: {0,1}m→ Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression Collision: a1z1 + … + amzm = a1y1 + … + amym So, a1(z1-y1)+ … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
SIVP BDD Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
For Any Lattice ... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point
Two-Dimensional Gaussian Distribution Image courtesy of wikipedia
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution
Worst-Case to Average-Case Reduction 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0n in n dimensional lattices)
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Zqn
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 s1z1+...+smzm is a lattice vector (v1+r1)z1+...+(vm+rm)zm is a lattice vector (v1z1+...+vmzm)+ (r1z1+...+rmzm) is a lattice vector So r1z1+...+rmzm is a lattice vector = vi = si vi + ri = si
2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi So r1z1+...+rmzm is a lattice vector ri are short vectors, zi are in {-1,0,1} So r1z1+...+rmzm is a short lattice vector = si vi + ri = si
Some Technicalities • You can’t sample a “uniformly random” lattice point • In the proofs, we work with Rn / L rather than Rn • So you don't need to sample a random point lattice point • What if r1z1+...+rmzm is 0? • Can show that with high probability it isn't • Given an si, there are multiple possible ri • Gaussian sampling doesn’t give us points on the grid • You can round to a grid point • Must be careful to bound the “rounding distance”
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq
Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)
Learning With Errors Problem A s e b + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random
Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)
Proof of Semantic Security r A r b A s e b + z(q/2) + = If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z
Decryption n r A r b A s e b + z(q/2) + m = Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
Lattices in Practice • Lattices have some great features • Very strong security proofs • The schemes are fairly simple • Relatively efficient • But there is a major drawback • Schemes have very large keys
Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am z1 z2 zm + + … + h(z1...zm) = Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem • (Textbook) RSA: • Key-size: ≈ 2048 bits • Ciphertext length (2048 bit message): ≈ 2048 bits • LWE-based scheme: • Key-size: ≈ 600,000 bits • Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 n h(z) = 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 n(log n) 1 1 0 Require O(n2) storage Computing the function takes O(n2) time