1 / 38

Lattice-based Cryptography

Lattice-based Cryptography. Oded Regev Tel-Aviv University. Introduction to lattices Survey of lattice-based cryptography Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Open Problems. Outline. Lattice.

omar
Download Presentation

Lattice-based Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice-based Cryptography Oded Regev Tel-Aviv University

  2. Introduction to lattices • Survey of lattice-based cryptography • Hash functions [Ajtai96,…] • Public-key cryptography [AjtaiDwork97,…] • Construction of a simple lattice-based hash function • Open Problems Outline

  3. Lattice • For vectors v1,…,vn in Rn we define the lattice generated by them as • L={a1v1+…+anvn| aiintegers} • We call v1,…,vna basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  4. History • Geometric objects with rich structure • Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. • Recently, many interesting applications in computer science. Some highlights: • LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]. Used for: • Factoring rational polynomials, • Solving integer programs in a fixed dimension, • Breaking knapsack cryptosystems. • Cryptanalysis: • Coppersmith’s attacks on RSA • Cryptography: • Ajtai’s one-way functions and the average case connection [Ajtai96] • Lattice-based cryptosystems [AjtaiDwork97]

  5. Shortest Vector Problem (SVP) v2 • SVP: given a lattice, find a shortest (nonzero) vector • -approximate SVP: given a lattice, find a vector of length at most  times the shortest • Other lattice problems: SIVP, SBP, etc. v1 3v2-4v1 0

  6. Lattice Problems Seem Hard • Conjecture: for any =poly(n), -approximate SVP is hard • Best known algorithm runs in time 2n [AjtaiKumarSivakumar01] • On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] • Best poly-time algorithm solves for =2nloglogn/logn[LLL82, Schnorr85] • NP-hard for sub-polynomial  [Ajtai97,Micciancio01,Khot04,HavivR07] 2log1-²n 1 n n 2n loglogn/logn  crypto NP∩coNP P NP-hard

  7. Survey of Lattice-based Cryptography

  8. Why use lattice-based cryptography • Lattice-based cryptography • Provably secure • Security based on a worst-case problem • Based on hardness of lattice problems • (Still) Not broken by quantum algorithms • Very simple computations • Can do more things • ‘Standard’ cryptography • Not always provable… • Security based on an average-case problem • Based on hardness of factoring, discrete log, etc. • Broken by quantum algorithms • Require modular exponentiation etc.

  9. Provable Security • Reduce solving a hard problem to breaking the cryptographic function • A security proof gives a strong evidence that our cryptographic function has no fundamental flaws • Can also give hints as to choice of parameters • Example: One-wayness of modular squaring • Somehow choose N=pq for two large primes p,q • f(x)=x2 mod N • If we can compute square roots then we can factor N

  10. Average-case hardness is not so nice… • How do you pick a “good” N in RSA? • Just pick p,q as random large primes and set N=pq? • (1978) Largest prime factors of p-1,q-1 should be large • (1981) p+1 and q+1 should have a large prime factor • (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors • (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors • Bottom line: currently, none of this is relevant

  11. Provable security based on average-case hardness • The cryptographic function is hard provided almost all N are hard to factor N fN

  12. Provable security based on worst-case hardness • The cryptographic function is hard provided the lattice problem is hard in the worst-case • This is a much stronger security guarantee • It assures us that our distribution is correct L fL

  13. Collision-Resistant Hash Functions • A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xys.t. f(x)=f(y) • First lattice-based CRHF given in [Ajtai96] • Based on the worst-case hardness of n8-approximate SVP • Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] • Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04]

  14. The Modular Subset-Sum Function • Let N be a big integer, and m=2log2N • Choose a1,…,am uniformly in {0,…,N-1}. Then define fa1,…,am:{0,1}m{0,…,N-1} by • fa1,…,am(b1,…,bm) = Σbiai mod N • Since m>log2N, (many) collisions exist • We will later see a proof of security: • Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP

  15. Recent Work: More Efficient CRHFs • In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function • More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] • Essentially the same subset-sum function except over a different ring • Only O(n) bits needed to specify a hash function • Based on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices)

  16. Public-key Cryptosystem • A PKC allows parties to communicate securely without having to agree on a secret key beforehand • First lattice-based PKC presented in [AjtaiDwork97] • Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08] • Advantages: • Worst-case hardness • Based on lattice problems (GapSVP) • Main disadvantage: impractical! (think of n as 100): • Public key size O(n4) • Encryption expands by O(n2)

  17. A Recent Public-key Cryptosystem[R05] • Advantages: • Worst-case hardness • Based on the main lattice problems (SVP, SIVP) • Main advantage: practical! (think of n as 100): • Public key size O(n) • Encryption expands by O(n) • One (minor?) disadvantage: • Breaking the cryptosystem implies an efficient quantum algorithm for lattices • Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...])

  18. Everything modulo 4 • Private key: 4 random numbers 1203 • Public key: a 6x4 matrix and approximate inner product • Encrypt the bit 0: • Encrypt the bit 1: 3·? + 2·? + 1·? + 0·? ≈1 Example of a lattice-based PKC [R05] 2·1 + 0·2 + 1·0 + 2·3 ≈1 1·1 + 2·2 + 2·0 + 3·3 ≈2 0·1 + 2·2 + 0·0 + 3·3 ≈1 1·1 + 2·2 + 0·0 + 2·3 ≈0 0·1 + 3·2 + 1·0 + 3·3 ≈3 3·1 + 3·2 + 0·0 + 2·3 ≈2 2 0 1 2 1 2 2 3 0 2 0 3 1 2 0 2 0 3 1 3 3 3 0 2 2·? + 0·? + 1·? + 2·? ≈1 1·? + 2·? + 2·? + 3·? ≈2 0·? + 2·? + 0·? + 3·? ≈1 1·? + 2·? + 0·? + 2·? ≈0 0·? + 3·? + 1·? + 3·? ≈3 3·? + 3·? + 0·? + 2·? ≈2 2·1 + 0·2 + 1·0 + 2·3 =0 1·1 + 2·2 + 2·0 + 3·3 =2 0·1 + 2·2 + 0·0 + 3·3 =1 1·1 + 2·2 + 0·0 + 2·3 =3 0·1 + 3·2 + 1·0 + 3·3 =3 3·1 + 3·2 + 0·0 + 2·3 =3 3·? + 2·? + 1·? + 0·? ≈3

  19. Construction of a Lattice-based Collision Resistant Hash Function

  20. Blurring a Picture

  21. Blurring a Lattice

  22. Blurring a Lattice

  23. Blurring a Lattice

  24. Blurring a Lattice

  25. Blurring a Lattice

  26. The Smoothing Radius • Define the smoothing radius=(L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distribution • The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] • It was shown that  is ‘small’ in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP

  27. An Alternative Definition • Define h:Rn![0,1)n that maps any x=Σivi to • h(x)=(1,…,n) mod 1. • E.g., any xL has h(x)=(0,…,0) • Then an alternative way to define  is as: • The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1)n

  28. x2 x1 x4 x3 Rn [0,1)n (1,1) (0,1) h(x2) h(x3) 0 h(x1) h(x4) (0,0) (1,0)

  29. Our CRHF • Fix the dimension n, let q=22n, and m=4n2 • Choose a1,…,am uniformly in Zqn. Then define fa1,…,am:{0,1}m{0,1}nlog2q by • fa1,…,am(b1,…,bm) = Σbiai (mod q) • Since m>nlog2q, (many) collisions exist • We now prove security by showing that: • Being able to find a collision in a randomly chosen fa1,…,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP

  30. Security Proof • Assume there exists an algorithm CollisionFind that given a1,…,am chosen uniformly in Zqn, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that • Σbiai = 0 (mod q). • This implies an algorithm CollisionFind’ that given a1,…,amchosen uniformly from [0,1)n, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that • Σbiai  (0,…,0) (mod 1) • (up to m/q in each coordinate)

  31. CollisionFind’ (1,1) (0,1) a2 a3 a4 a1 a5 a6 (0,0) (1,0) Output: “a1+a2-a4+a5(0,…,0) (mod 1)”

  32. Security Proof • Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)(L) in any given lattice L • So let L be a given lattice with basis v1,…,vn • By using the LLL algorithm, we can assume that v1,…,vn are not ‘unreasonably’ long: say, of length at most 2n(L)

  33. Security Proof – Main Procedure • Sample m vectors x1,…,xm from the Gaussian distribution around 0 of radius  • Compute a1:=h(x1),…,am:=h(xm) • Each ai is uniformly distributed in [0,1)n • Apply CollisionFind’ to obtain b1,…,bm {-1,0,1} such that • Σbih(xi) (m/q,…,m/q) (mod 1) • Define y=Σbixi. Then, • y is short (of length m) • y is extremely close to a lattice point since h(y)=Σbih(xi)(m/q,…,m/q) (mod 1)

  34. Security Proof – Main Procedure • Write y=Σivi for some reals1,…,n • So each iis within m/q of an integer • Define the lattice vector y’=Σivi • The distance • So y’ is a lattice vector of length at most (m+1)

  35. x2 x1 x4 x3 y’ 0 y CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”

  36. Security Proof – One Last Issue • How to guarantee that y’ is nonzero? • Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero • It can be shown that ai does not contain enough information about xi • In other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y’ is nonzero with very high probability

  37. Security Proof – Conclusion • By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability • By repeating this procedure we can obtain such a vector with very high probability • The essential idea: All lattices look the same after adding some small amount of blur

  38. Open Problems • Establish recommended parameters • Cryptanalysis • Known attacks limited to low dimension [NguyenStern98] • New systems [Ajtai05,R05] are efficient and can be used with high dimensions • Improved cryptosystems • Use special classes of lattices

More Related