1 / 73

New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions. Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice is a 1 v 1 +…+a n v n for all integer a 1 ,…,a n . What is the shortest vector u ?. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. 3v 1 -4v 2.

butch
Télécharger la présentation

New Lattice Based Cryptographic Constructions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Lattice Based Cryptographic Constructions Oded Regev

  2. Lattices • Basis: v1,…,vn vectors in Rn • The lattice is a1v1+…+anvn for all integer a1,…,an. • What is the shortest vector u ? v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  3. 3v1-4v2 Lattices – not so easy v1 v2 0

  4. 1 f(n) f(n)-unique-SVP (shortest vector problem) • Promise: the shortest vector u is shorter by a factor of f(n) • Algorithm for 2n-unique SVP [LLL82,Schnorr87] • Believed to be hard for any nc nc 2n 1 easy believed hard

  5. History • Geometric objects with rich structure • Early work by Gauss 1801, Hermite 1850, Minkowski 1896 • More recent developments: • LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82] • Factoring rational polynomials • Solving integer programs in a fixed dimension • Breaking knapsack cryptosystems • Ajtai’s average case connection [Ajtai96] • Lattice based cryptosystems

  6. Question • From which distribution is the following sequence taken? 478, 21, 431, 897, 150, 701, 929, 232 Uniform? Prob 1 1000 Prob Or wavy? 1 1000

  7. The d,γ-wavy Distribution • Periodization of the normal distribution • R=2^(2n2) • Number of periods is d (usually integer) • Ratio of period to standard dev. is γ • distd : {0,…,R-1}  [0,½] is the normalized distance from the nearest peak =γ d=7 Prob 0 R-1

  8. Main Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

  9. Average-case Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions for a non-negligible fraction of values d in [2^(n2),2•2^(n^2)]

  10. Applications of Main Theorem • Public key encryption scheme • Collision resistant hash function • A problem in quantum computation

  11. Cryptography • ‘Standard’ cryptography: • Usually based on factoring, discrete log, principal ideal problem • Average case assumption • Mostly broken by quantum computers • Lattice based cryptography [Ajtai96,…]: • Based on lattice problems • Worst case assumption • Still not broken by quantum computers

  12. Application 1Public Key Encryption (PKE) • Consists of private key, public key, encryption and decryption • The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97] • Previously, the only lattice based PKE with worst case assumption • Based on n7-unique Shortest Vector Problem

  13. Application 1Public Key Encryption (PKE) • We construct a new lattice based PKE from the average-case theorem: • Very simple description • Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem • Uses integer numbers, very efficient

  14. Application 2Collision Resistant Hash Function • A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., • xy s.t. f(x)=f(y) • Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02] • Our construction is • The first which is not based on Ajtai’s iterative step • Somewhat stronger (based on n1.5-uSVP)

  15. Application 3 Quantum Computation • Quantum computers can break cryptography based on factoring [Shor96] • Based on the HSP on Abelian groups • What about lattice based cryptography?

  16. Application 3 Quantum Computation • Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02] • Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]

  17. Main Theorem • For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

  18. Proof of theMain Theorem

  19. Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem

  20. Reduction to:Decision Problem • Given a n1.5-unique lattice, and a prime p>n1.5 • Assume the shortest vector is: u = a1v1+a2v2+…+anvn • Decide whether a1 is divisible by p

  21. The Reduction • Idea: decrease the coefficients of the shortest vector • If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn . • u is still in the new lattice: u = (a1/p)•pv1 + a2v2 + … + anvn • The same can be done whenever p|ai for some i

  22. | The Reduction • But what if p ai for all i ? • Consider the basis v1,v2-v1,v3,…,vn • The shortest vector is u = (a1+a2)v1 + a2(v2-v1)+ a3v3 +… + anvn • The first coefficient is a1+a2 • Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2 • One of them is divisible by p, so we choose it and continue

  23. Proof Outline n1.5-Unique-SVP  decision problem promise problem n-dim distributions Main theorem

  24. Reduction from:Decision Problem • Given a n1.5-unique lattice, and a prime p>n1.5 • Assume the shortest vector is: u = a1v1+a2v2+…+anvn • Decide whether a1 is divisible by p

  25. Reduction to:Promise Problem • Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n

  26. | The reduction • Input: a basis (v1,…,vn) of a n1.5 unique lattice • Scale the lattice so that the shortest vector is of length 1/n • Replace v1 by pv1. Let M be the resulting lattice • If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n • If p a1 then M has shortest vector more than n

  27. The input lattice L L 1/n n -u 0 u 2u

  28. The lattice M • The lattice M is spanned by pv1,v2,…,vn: • If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn2M : M n 1/n 0 u

  29. 2 | The lattice M • The lattice M is spanned by pv1,v2,…,vn: • If p a1, then u M: M n -pu 0 pu

  30. Proof Outline n1.5-Unique-SVP  decision problem  promise problem n-dim distributions Main theorem

  31. Reduction from:Promise Problem • Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n

  32. n-dimensional distributions • Distinguish between the distributions: ? Uniform Wavy

  33. Dual Lattice • Given a lattice L, the dual lattice is L* = { x | 8y2L, <x,y>2Z } 1/5 L L* 5 0 0

  34. L* 0 n 0 L* - the dual of L L n Case 1 1/n 0 n Case 2

  35. Reduction • Choose a point randomly from L* • Perturb it by a Gaussian of radius n

  36. Creating the Distribution L* L*+ perturb 0 Case 1 n Case 2

  37. Analyzing the Distribution • Theorem: (using [Banaszczyk’93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) • Therefore, Case 1: Determined by multiples of u  wavy on hyperplanes orthogonal to u Case 2: Determined by the origin  uniform

  38. Proof of Theorem • For a set A in Rn,define: • Poisson Summation Formula implies: • Banaszczyk’s theorem: For any lattice L,

  39. Proof of Theorem (cont.) • In Case 2, the distribution obtained is very close to uniform: • Because:

  40. Proof Outline n1.5-Unique-SVP  decision problem  promise problem  n-dim distributions Main theorem

  41. n-dimensional distributions • Distinguish between the distributions • Given by an oracle that returns points inside a cube of side length 2n ? Wavy Uniform

  42. Main Theorem • Distinguish between the distributions: Uniform: 0 R-1 Wavy: 0 R-1

  43. Reducing to 1-dimension • First attempt: sample and project to a line

  44. Reducing to 1-dimension • But then we lose the wavy structure! • We should project only from points very close to the line

  45. The solution • Use the periodicity of the distribution • Project on a ‘dense line’ :

  46. The solution

  47. The solution • We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1enwhere K is large enough • The distance between hyperplanes is n • The sides are of length 2n • Therefore, we choose K=2O(n) • Hence, d<O(Kn)=2^(O(n2))

  48. Done n1.5-Unique-SVP  decision problem  promise problem  n-dim distributions  Main theorem

  49. From Worst-Case to Average-Case

  50. Worst-case vs. Average-case • Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2) • For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]

More Related