1 / 78

Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University

Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009. Cryptographic Hardness Assumptions. Factoring is hard Discrete Log Problem is hard Diffie-Hellman problem is hard Decisional Diffie-Hellman problem is hard

ehaith
Télécharger la présentation

Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009

  2. Cryptographic Hardness Assumptions • Factoring is hard • Discrete Log Problem is hard • Diffie-Hellman problem is hard • Decisional Diffie-Hellman problem is hard • Problems involving Elliptic Curves are hard • Many assumptions

  3. Why Do We Need More Assumptions? • Number theoretic functions are rather slow • Factoring, Discrete Log, Elliptic curves are “of the same flavor” • Quantum computers break all number theoretic assumptions

  4. Lattice-Based Cryptography • Seemingly very different assumptions from factoring, discrete log, elliptic curves • Simple descriptions and implementations • Very parallelizable • Resists quantum attacks (we think) • Security based on worst-case problems

  5. Average-Case Assumptions vs.Worst-Case Assumptions • Example: Want to base a scheme on factoring • Need to generate a “hard-to-factor” N • How? • Need a “hard distribution” • Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number

  6. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  7. Lattices Lattice: A discrete additive subgroup of Rn

  8. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  9. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  10. Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

  11. Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors

  12. Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

  13. Bounded Distance Decoding(BDD) Given a target vector that's close to the lattice, find the nearest lattice vector

  14. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  15. SIVP BDD Worst-Case quantum Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  16. Small Integer Solution Problem Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm + + … + = in Zqn • Observations: • If size of zi is not restricted, then the problem is trivial • Immediately implies a collision-resistant hash function

  17. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  18. Collision-Resistant Hash Function Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am 0 z1 z2 zm in Zqn + + … + = A=(a1,...,am) Define hA: {0,1}m→ Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression Collision: a1z1 + … + amzm = a1y1 + … + amym So, a1(z1-y1)+ … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}

  19. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  20. SIVP BDD Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  21. For Any Lattice ... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point

  22. One-Dimensional Gaussian Distribution

  23. Two-Dimensional Gaussian Distribution Image courtesy of wikipedia

  24. Gaussians on Lattice Points Image courtesy of Oded Regev

  25. Gaussians on Lattice Points Image courtesy of Oded Regev

  26. Gaussians on Lattice Points Image courtesy of Oded Regev

  27. Gaussians on Lattice Points Image courtesy of Oded Regev

  28. Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution

  29. Worst-Case to Average-Case Reduction

  30. Worst-Case to Average-Case Reduction

  31. Worst-Case to Average-Case Reduction 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0n in n dimensional lattices)

  32. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point

  33. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point

  34. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Zqn

  35. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0

  36. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 s1z1+...+smzm is a lattice vector (v1+r1)z1+...+(vm+rm)zm is a lattice vector (v1z1+...+vmzm)+ (r1z1+...+rmzm) is a lattice vector So r1z1+...+rmzm is a lattice vector = vi = si vi + ri = si

  37. 2 1 0 2 1 0 2 1 0 1 2 0 1 2 0 1 2 0 1 Give the m “Zqnsamples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi So r1z1+...+rmzm is a lattice vector ri are short vectors, zi are in {-1,0,1} So r1z1+...+rmzm is a short lattice vector = si vi + ri = si

  38. Some Technicalities • You can’t sample a “uniformly random” lattice point • In the proofs, we work with Rn / L rather than Rn • So you don't need to sample a random point lattice point • What if r1z1+...+rmzm is 0? • Can show that with high probability it isn't • Given an si, there are multiple possible ri • Gaussian sampling doesn’t give us points on the grid • You can round to a grid point • Must be careful to bound the “rounding distance”

  39. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  40. Lattice Problems Worst-Case Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

  41. Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq

  42. Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)

  43. Learning With Errors Problem A s e b + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random

  44. Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)

  45. Proof of Semantic Security r A r b A s e b + z(q/2) + = If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z

  46. Decryption n r A r b A s e b + z(q/2) + m = Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

  47. Lattices in Practice • Lattices have some great features • Very strong security proofs • The schemes are fairly simple • Relatively efficient • But there is a major drawback • Schemes have very large keys

  48. Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am z1 z2 zm + + … + h(z1...zm) = Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits

  49. Public-Key Cryptosystem • (Textbook) RSA: • Key-size: ≈ 2048 bits • Ciphertext length (2048 bit message): ≈ 2048 bits • LWE-based scheme: • Key-size: ≈ 600,000 bits • Ciphertext length (2048 bit message): ≈ 40,000 bits

  50. Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 n h(z) = 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 n(log n) 1 1 0 Require O(n2) storage Computing the function takes O(n2) time

More Related