Lattices. Svp & cvp. lll algorithm. application in cryptography Stoica Liviu Faculty of Physics 09-11-2017

CONTENTS Introduction Lattices an example SVP and CVP approximating CVP Using a basis to solve CVP and svp fundamental lattice theorems lattice reduction Gram-Schmidt Orthogonalization “the good basis conditions” the lll algorithm variants and improvEments to lll ( BKZ algorithm ) lattice based cryptography(ggh public key cryptosystem ) further reading Stoica Liviu Faculty of Computer Science 09-11-2017

Why are lattice problems useful in cryptography ? • Underlying every public key cryptosystem is a hard mathematical problem. The best known examples are: RSA Integer Factorization Problem Diffie-Hellman Discrete Logarithm Problem in F ECC Discrete Logarithm Problem on Elliptic Curves * q Stoica Liviu Faculty of Computer Science 09-11-2017

• There are many other hard mathematical problems that one might use for cryptography. • An appealing class of problems involves finding closest and shortest vectors in lattices. • The general Closest Vector Problem (CVP) is known to be NP-hard and the Shortest Vector Problem (SVP) is NP-hard under a randomized reduction hypothesis. Stoica Liviu Faculty of Computer Science 09-11-2017

Lattices 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ } Definition: A lattice L of dimension n is a maximal discrete subgroup of ℝ 𝑛 .  A lattice is the ℤ-linear span of a set of n linearly independent vectors: 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ } Fundamental domain on L is: ℱ 𝐿 = 𝑡 1 𝑣 1 +…+ 𝑡 𝑛 𝑣 𝑛 0≤ 𝑡 𝑖 <1 } The Discriminant (the “volume”) of L is: 𝐷𝑖𝑠𝑐 𝐿 =𝑉𝑜𝑙𝑢𝑚𝑒 ℱ 𝐿 =det⁡( 𝑣 1 𝑣 2 …| 𝑣 𝑛 ) Stoica Liviu Faculty of Computer Science 09-11-2017

A two dimensional example Stoica Liviu Faculty of Computer Science 09-11-2017

The Two Fundamental Hard Lattice Problems Closest Vector Problem (CVP) Given a vector t ∈ ℝ 𝑛 not in L, find a vector in L that is closest to t. Shortest Vector Problem (SVP) Find a shortest nonzero vector in L. Stoica Liviu Faculty of Computer Science 09-11-2017

The Approximate Closest Vector Problem - is to find a vector v𝜖L so that ||v – t|| is small. For example: 𝑣−𝑡 ≤ 𝑘 𝑚𝑖𝑛 𝒘∈𝐿 | 𝑤−𝑡 | For a small k. Stoica Liviu Faculty of Computer Science 09-11-2017

Using a basis to try to solve the Closest Vector Problem Stoica Liviu Faculty of Computer Science 09-11-2017

Fundamental Lattice Theorems Hademard’s Inequality. Let 𝑣 1 …. 𝑣 𝑛 be any basis for L. Then 𝐷𝑖𝑠𝑐 𝐿 ≤ 𝑣 1 ∗ 𝑣 2 ∗…∗| 𝑣 𝑛 | Theorem (Hermite): There is a constant γ 𝑛 so that for all lattices L of dimension n: There is a nonzero vector v ∈ L satisfying: 𝑣 ≤ 𝛾 𝑛 𝐷𝑖𝑠𝑐(𝐿) 1/𝑛 There is a basis for L satisfying 𝑣 1 ∗…∗ 𝑣 𝑛 ≤ 𝛾 𝑛 𝑛 2 𝐷𝑖𝑠𝑐(𝐿) 𝛾 𝑛 it is called Hermite’s constant: For large n it is bounded by 𝑛 2𝜋ℯ ≤ 𝛾 𝑛 ≤ 𝑛 𝜋ℯ Stoica Liviu Faculty of Computer Science 09-11-2017

Theorem (Minkowski): Let L be a lattice of dimension n. Then every compact convex symmetric region R of volume at least 2 𝑛 Disc(L) contains a nonzero lattice point. The region R in Minkowski’s Theorem is assumed to have the following three properties: Compact: closed and bounded Convex: v, w ∈ R ⇒ line segment 𝑣𝑤 ⊂𝑅 Symmetric: v ∈ R ⇒ −v ∈ R Stoica Liviu Faculty of Computer Science 09-11-2017

Lattice Reduction and the LLL Algorithm Lattice Reduction is the name given to the practical problem of solving SVP and CVP, or more generally of finding reasonably short vectors and reasonably good bases. One of the best lattice reduction methods currently known are based on the LLL Algorithm of Lenstra, Lenstra, and Lovász. Stoica Liviu Faculty of Computer Science 09-11-2017

LLL finds moderately short lattice vectors in polynomial time LLL finds moderately short lattice vectors in polynomial time. This suffices for many applications. However, finding very short (or very close) vectors is currently still exponentially hard. It is worth noting that current lattice reduction algorithms such as LLL are highly sequential. Thus they are not distributable (although somewhat parallelizable). In recent years there has been progress solving CVP and SVP with quantum algorithms. Stoica Liviu Faculty of Computer Science 09-11-2017

Gram-Schmidt Orthogonalization Let 𝐵 = { 𝑣 1 , …, 𝑣 𝑛 } be a basis for ℝ 𝑛 we can turn 𝐵 into 𝐵 ∗ , where the vectors from 𝐵 ∗ are pairwise orthogonal. 𝑣 1 ∗ = 𝑣 1 𝑣 2 ∗ = 𝑣 2 − 𝑣 2 𝑣 1 ∗ 𝑣 1 ∗ 2 𝑣 1 ∗ ⋮ 𝑣 𝑛 ∗ = 𝑣 𝑛 − 𝑣 𝑛 𝑣 𝑛−1 ∗ 𝑣 𝑛−1 ∗ 2 𝑣 𝑛−1 ∗ − 𝑣 𝑛 𝑣 𝑛−2 ∗ 𝑣 𝑛−2 ∗ 2 𝑣 𝑛−2 ∗ − …− 𝑣 𝑛 𝑣 1 ∗ 𝑣 1 ∗ 2 𝑣 1 ∗ Stoica Liviu Faculty of Computer Science 09-11-2017

The Size and Quasiorthogonality Conditions (The good basis conditions) If some coefficient in the Gram-Schmidt process satisfies 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ 2 > 1 2 Then we replace 𝑣 𝑖 by 𝑣 𝑖 −𝑎 𝑣 𝑗 for an appropriate a ∈ ℤ That makes the coefficient smaller. We say that the basis satisfies the size condition if 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ 2 ≤ 1 2 for all j < i Stoica Liviu Faculty of Computer Science 09-11-2017

Quasiorthogonality Condition: 𝑣 𝑖+1 ∗ ≥ 3 2 | 𝑣 𝑖 ∗ | It imposes that the angle between the two vectors is larger (or equal to) than 60˚. Theorem (Hermite) : Every lattice has a basis satisfying both the Size Condition and the Quasiorthogonality Condition. Stoica Liviu Faculty of Computer Science 09-11-2017

So we relax the Quasiorthogonality Condition to Unfortunately, the best known algorithms to find such a basis are exponential in the dimension. So we relax the Quasiorthogonality Condition to 𝑣 𝑖+1 ∗ ≥ 3 4 − 𝑣 𝑖+1 𝑣 𝑖 ∗ 2 𝑣 𝑖 ∗ 2 | 𝑣 𝑖 ∗ | This is called the Lovász Condition. Stoica Liviu Faculty of Computer Science 09-11-2017

The LLL Algorithm Theorem (Lenstra, Lenstra, Lovász) There is a polynomial time algorithm that finds a basis for L satisfying both the Size Condition and the Lovász Condition. Such bases are called LLL Reduced Bases. [1] k = 2 [2] LOOP WHILE k < n [3] Replace 𝒗 𝟏 , ..., 𝒗 𝒌 with linear combinations so the Size Condition is true [4] If the Lovász Condition is false [5] Swap 𝒗 𝒌 ↔ 𝒗 𝒌−𝟏 and set k = k − 1 [6] Else [7] Set k = k + 1 [8] If k = n, then basis is LLL reduced [9] END LOOP The Basic LLL Algorithm Stoica Liviu Faculty of Computer Science 09-11-2017

Variants and Improvements to LLL Definition A KZ Reduced Basis: is a basis that satisfies both the Size Condition and the following: For all i, 𝑣 𝑖 ∗ is the shortest vector in the projection of L onto Span( 𝑣 1 , …, 𝑣 𝑛 ). Blockwise Korkine-Zolotarev Reduction Algorithm (BKZ-LLL) Instead of swapping 𝑣 𝑘 and 𝑣 𝑘−1 in Step 5 of LLL, instead take the lattice spanned by a block of vectors 𝑣 𝑖 , 𝑣 𝑖+1 , …, 𝑣 𝑖+𝛽+1 and replace them with a KZ Reduced Basis. Stoica Liviu Faculty of Computer Science 09-11-2017

Operating Characteristics of BKZ An advantage of BKZ is that the output improves as one increases the block size β. Indeed, taking β = n gives a full KZ reduced basis for L, so it solves SVP. Of course, the improved output comes at a cost of increased running time. Stoica Liviu Faculty of Computer Science 09-11-2017

Lattice-Based Cryptography Why Attempt To Use Lattices To Build Cryptosystems? There are some speed advantages (in contrast with “classical” cryptosystems like Integer Factorization Problems for example) available from lattices operations, combined with the fact that SVP and CVP are well-studied hard problems that make it worth looking into cryptosystems whose security depends more directly on SVP and CVP Stoica Liviu Faculty of Computer Science 09-11-2017

The Ajtai-Dwork Lattice Cryptosystem Ajtai and Dwork (1995) described a lattice-based public key cryptosystem whose security relies on the difficulty of solving CVP in certain class of lattices ℒ 𝑨𝑫 . They proved that breaking their system in the average case (i.e. for a randomly chosen lattice of dimension m in ℒ 𝑨𝑫 ) is as difficult as solving SVP for all lattices of dimension n for a certain n that depends on m). This average case-worst case equivalence is a theoretical cryptographic milestone, but unfortunately the Ajtai-Dwork cryptosystem is impractical. Inspired by the work of Ajtai and Dwork, a more practical lattice-based cryptosystem was proposed in 1996 by Goldreich, Goldwasser, and Halevi. Stoica Liviu Faculty of Computer Science 09-11-2017

The GGH Public Key Cryptosystem Key Creation: Choose a lattice L and Private Key = { 𝒗 𝟏 , …, 𝒗 𝒏 } a good (short) basis Public Key = { 𝒘 𝟏 , …, 𝒘 𝒏 } a bad (long) basis Encryption: The plaintext m is a binary vector. Also choose a small random “perturbation” vector r. The ciphertext is: 𝑒 = 𝑚 1 𝑤 1 + ··· + 𝑚 𝑛 𝑤 𝑛 + 𝑟. Note that the ciphertext vector e is not in the lattice L. Decryption: Find a vector u in L that is closest to e. If r is small enough, then 𝑢= 𝑚 1 𝑤 1 + … + 𝑚 𝑛 𝑤 𝑛 so solving CVP for e in L will recover m. The private good basis can be used to find u. First write 𝑒= 𝜇 1 𝑣 1 + … + 𝜇 𝑛 𝑣 𝑛 using real 𝜇 1 , …, 𝜇 𝑛 𝜖 ℝ Then round 𝜇 1 , …, 𝜇 𝑛 to the nearest integer: 𝜇 1 𝑣 1 + …+ 𝜇 𝑛 𝑣 𝑛 will equal u Stoica Liviu Faculty of Computer Science 09-11-2017

Further reading Orthogonalized Lattice Enumeration for Solving SVP https://eprint.iacr.org/2016/950.pdf A Lattice Basis Reduction Algorithm http://www.cas.mcmaster.ca/~qiao/publications/LQZ10.pdf Finding shortest lattice vectors faster using quantum search https://eprint.iacr.org/2014/907.pdf Space-efficient classical and quantum algorithms for the shortest vector problem https://arxiv.org/pdf/1709.00378.pdf Stoica Liviu Faculty of Computer Science 09-11-2017

Algorithms for the Shortest and Closest Lattice Vector Problems http://perso.ens-lyon.fr/damien.stehle/downloads/SVPCVP.pdf Faster exponential time algorithms for the shortest vector problem https://cseweb.ucsd.edu/~daniele/papers/Sieve.pdf A KZ Reduction Algorithm https://arxiv.org/pdf/1702.08152.pdf Stoica Liviu Faculty of Computer Science 09-11-2017

THANK YOU FOR YOUR ATTENTION!