1 / 37

Lattice-Based Cryptography

Lattice-Based Cryptography. Lattice Problems. Worst-Case. Average-Case. Learning With Errors Problem (LWE). Small Integer Solution Problem (SIS). One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt). Public Key Encryption

felcia
Download Presentation

Lattice-Based Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice-Based Cryptography

  2. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  3. Learning With Errors Problem Find the secret s a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq

  4. (Decisional) Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq

  5. LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)

  6. LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g≠<v,s>, then g=<v,s>+g' (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg') =(a+rv,<a+rv,s>+e+rg') r is independent of a+rv, s, e so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q

  7. Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)

  8. LearningWith Errors Problem A s e b + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random

  9. Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)

  10. Proof of Semantic Security r A r b A s e b + z(q/2) + = If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z

  11. Decryption n r A r b A s e b + z(q/2) + m = Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

  12. Lattices in Practice • Lattices have some great features • Very strong security proofs • The schemes are fairly simple • Relatively efficient • But there is a major drawback • Schemes have very large keys

  13. Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am z1 z2 zm + + … + h(z1...zm) = Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits

  14. Public-Key Cryptosystem • (Textbook) RSA: • Key-size: ≈ 2048 bits • Ciphertext length (2048 bit message): ≈ 2048 bits • LWE-based scheme: • Key-size: ≈ 600,000 bits • Ciphertext length (2048 bit message): ≈ 40,000 bits

  15. Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 n h(z) = 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 m 1 1 0 Require O(mn) storage Computing the function takes O(mn) time

  16. A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 0 n 2 7 4 1 1 13 10 7 0 1 2 7 4 7 1 13 10 1 0 m 1 1 0 Now A only requires m storage Az can be computed faster as well

  17. A More Efficient Idea z A 4 1 2 7 10 7 1 13 4 1 2 7 10 7 1 13 1 1 0 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 0 0 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 0 0 1 1 2 7 4 7 1 13 10 1 2 7 4 7 1 13 10 1 1 0 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

  18. Interlude: What is Zp[x]/(xn-1)? • Z = integers • Zp=integers modulo p • Zp[x] = polynomials with coefficients in Zp • Example if p=3: 1+x, 2+x2+x1001 • Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp • Example if p=3 and n=4: 1+x, 2+x+x2

  19. Operations in Zp[x]/(xn-1)? • Addition: • Addition of polynomials modulo p • Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 • Multiplication: • Polynomial multiplication modulo p and xn-1 • Example if p=3 and n=4: (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3

  20. A More Efficient Idea z A 4 1 2 7 10 7 1 13 4 1 2 7 10 7 1 13 1 1 0 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 0 0 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 0 0 1 1 2 7 4 7 1 13 10 1 2 7 4 7 1 13 10 1 1 0 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT

  21. Great, a Better Hash Function! Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

  22. But Is it Hard to Find Collisions? z A 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m NO!

  23. Finding Collisions D R h h R' D'

  24. Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q

  25. Finding Collisions 4 1 2 7 0 0 7 4 1 2 0 0 = 2 7 4 1 0 0 1 2 7 4 0 0 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14

  26. Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q

  27. Collision-Resistant Hash Function Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm in Zqn + + … + = A=(a1,...,am) Define hA: {0,1}m→ Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq

  28. But … z r A = 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 = n 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 m Theorem: For a random r in Zqn, it ishard to find a z with coefficients in {-1,0,1} such that Az mod q=r

  29. Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions

  30. Cyclic Lattices A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1

  31. Cyclic Lattices=Ideals in Z[x]/(xn-1) A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1

  32. (xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideallatticeif: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 -7 -2 3 6 -8 0 6 2 + = 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 -4 2 3 -1 3 2 -4 -4 -1 -1 2 -1 -1 -1 2 3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 -4 -1

  33. What About Hash Functions? z A 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m Not Collision-Resistant

  34. A “Simple” Modification z A 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 m Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

  35. Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)

  36. 1 2 3 4 -7 -2 3 6 -6 0 6 10 1 2 3 4 -1 -2 -3 -4 -1 1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 4 -4 -4 -4 -4 -4 1 2 3 -3 -1 -1 2 -4 2 3 3 1 -4 -4 2 -1 -1 -1 -1 -1 -2 2 -3 2 2 2 2 3 3 -4 3 3 3 -4 -4 -4 -4 1 -4 (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L + = 2.) For all v in L, -v is also in L 3.) For all v in L, its “negative rotation” is also in L

  37. So How Efficient are the Ideal Lattice Constructions? • Collision-resistant hash functions • More efficient than any other provably-secure hash function • Almost as efficient as the ones used in practice • Can only prove collision-resistance • Signature schemes • Theoretically, very efficient • In practice, efficient • Key length ≈ 20,000 bits • Signature length ≈ 50,000 bits

More Related