Lattices. Svp & cvp. lll algorithm. application in cryptography

Slides:



Advertisements
Similar presentations
Public Key Cryptosystem
Advertisements

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
Finding Reduced Basis for Lattices Ido Heskia Math/Csc 870.
Lecture 8: Lattices and Elliptic Curves
New Lattice Based Cryptographic Constructions
Computational problems, algorithms, runtime, hardness
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Computer Security CS 426 Lecture 3
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
ASYMMETRIC CIPHERS.
Public Key Model 8. Cryptography part 2.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Diophantine Approximation and Basis Reduction
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Chapter 21 Public-Key Cryptography and Message Authentication.
Elliptical Curve Cryptography Manish Kumar Roll No - 43 CS-A, S-7 SOE, CUSAT.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC
PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.
Fast algorithm for the Shortest Vector Problem er (joint with Aggarwal, Dadush, and Stephens-Davidowitz) Oded Regev Courant Institute, NYU UC Irvine, Sloan.
A Sieving Algorithm for Approximate Integer Programming Daniel Dadush, CWI.
Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.
Lecture 9 Elliptic Curves. In 1984, Hendrik Lenstra described an ingenious algorithm for factoring integers that relies on properties of elliptic curves.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Hard Problems Some problems are hard to solve.  No polynomial time algorithm is known.  E.g., NP-hard problems such as machine scheduling, bin packing,
Public Key Cryptography. Asymmetric encryption is a form of cryptosystem in which Encryption and decryption are performed using the different keys—one.
@Yuan Xue CS 285 Network Security Public-Key Cryptography Yuan Xue Fall 2012.
Public Key Cryptography
Public Key Encryption.
Attacks on Public Key Encryption Algorithms
D. Cheung – IQC/UWaterloo, Canada D. K. Pradhan – UBristol, UK
Computational problems, algorithms, runtime, hardness
PUBLIC-KEY ENCRYPTION Focusing on RSA
On Bounded Distance Decoding, Unique Shortest Vectors, and the
RSA and El Gamal Cryptosystems
Public-key Cryptography
Attack on Fully Homomorphic Encryption over Principal Ideal Lattice
Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Knapsack Cryptosystems
NTRUSign Parameters Challenge
The Learning With Errors Problem
Knapsack Cryptosystems
Digital Signature Schemes and the Random Oracle Model
Background: Lattices and the Learning-with-Errors problem
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
GROUPS & THEIR REPRESENTATIONS: a card shuffling approach
Vadim Lyubashevsky INRIA / ENS, Paris
Asymmetric Cryptography
Cryptography: Basics (2)
CPS 173 Computational problems, algorithms, runtime, hardness
On The Quantitative Hardness of the Closest Vector Problem
Introduction to Elliptic Curve Cryptography
Daniel Dadush Centrum Wiskunde & Informatica (CWI) Aussois 2019
Hard Problems Some problems are hard to solve.
Symmetric-Key Cryptography
Introduction to Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

Lattices. Svp & cvp. lll algorithm. application in cryptography Stoica Liviu Faculty of Physics 09-11-2017

CONTENTS Introduction Lattices an example SVP and CVP approximating CVP Using a basis to solve CVP and svp fundamental lattice theorems lattice reduction Gram-Schmidt Orthogonalization “the good basis conditions” the lll algorithm variants and improvEments to lll ( BKZ algorithm ) lattice based cryptography(ggh public key cryptosystem ) further reading Stoica Liviu Faculty of Computer Science 09-11-2017

Why are lattice problems useful in cryptography ? • Underlying every public key cryptosystem is a hard mathematical problem. The best known examples are: RSA Integer Factorization Problem Diffie-Hellman Discrete Logarithm Problem in F ECC Discrete Logarithm Problem on Elliptic Curves * q Stoica Liviu Faculty of Computer Science 09-11-2017

• There are many other hard mathematical problems that one might use for cryptography. • An appealing class of problems involves finding closest and shortest vectors in lattices. • The general Closest Vector Problem (CVP) is known to be NP-hard and the Shortest Vector Problem (SVP) is NP-hard under a randomized reduction hypothesis. Stoica Liviu Faculty of Computer Science 09-11-2017

Lattices 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ } Definition: A lattice L of dimension n is a maximal discrete subgroup of ℝ 𝑛 .  A lattice is the ℤ-linear span of a set of n linearly independent vectors: 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ } Fundamental domain on L is: ℱ 𝐿 = 𝑡 1 𝑣 1 +…+ 𝑡 𝑛 𝑣 𝑛 0≤ 𝑡 𝑖 <1 } The Discriminant (the “volume”) of L is: 𝐷𝑖𝑠𝑐 𝐿 =𝑉𝑜𝑙𝑢𝑚𝑒 ℱ 𝐿 =det⁡( 𝑣 1 𝑣 2 …| 𝑣 𝑛 ) Stoica Liviu Faculty of Computer Science 09-11-2017

A two dimensional example Stoica Liviu Faculty of Computer Science 09-11-2017

The Two Fundamental Hard Lattice Problems Closest Vector Problem (CVP) Given a vector t ∈ ℝ 𝑛 not in L, find a vector in L that is closest to t. Shortest Vector Problem (SVP) Find a shortest nonzero vector in L. Stoica Liviu Faculty of Computer Science 09-11-2017

The Approximate Closest Vector Problem - is to find a vector v𝜖L so that ||v – t|| is small. For example: 𝑣−𝑡 ≤ 𝑘 𝑚𝑖𝑛 𝒘∈𝐿 | 𝑤−𝑡 | For a small k. Stoica Liviu Faculty of Computer Science 09-11-2017

Using a basis to try to solve the Closest Vector Problem Stoica Liviu Faculty of Computer Science 09-11-2017

Fundamental Lattice Theorems Hademard’s Inequality. Let 𝑣 1 …. 𝑣 𝑛 be any basis for L. Then 𝐷𝑖𝑠𝑐 𝐿 ≤ 𝑣 1 ∗ 𝑣 2 ∗…∗| 𝑣 𝑛 | Theorem (Hermite): There is a constant γ 𝑛 so that for all lattices L of dimension n: There is a nonzero vector v ∈ L satisfying: 𝑣 ≤ 𝛾 𝑛 𝐷𝑖𝑠𝑐(𝐿) 1/𝑛 There is a basis for L satisfying 𝑣 1 ∗…∗ 𝑣 𝑛 ≤ 𝛾 𝑛 𝑛 2 𝐷𝑖𝑠𝑐(𝐿) 𝛾 𝑛 it is called Hermite’s constant: For large n it is bounded by 𝑛 2𝜋ℯ ≤ 𝛾 𝑛 ≤ 𝑛 𝜋ℯ Stoica Liviu Faculty of Computer Science 09-11-2017

Theorem (Minkowski): Let L be a lattice of dimension n. Then every compact convex symmetric region R of volume at least 2 𝑛 Disc(L) contains a nonzero lattice point. The region R in Minkowski’s Theorem is assumed to have the following three properties: Compact: closed and bounded Convex: v, w ∈ R ⇒ line segment 𝑣𝑤 ⊂𝑅 Symmetric: v ∈ R ⇒ −v ∈ R Stoica Liviu Faculty of Computer Science 09-11-2017

Lattice Reduction and the LLL Algorithm Lattice Reduction is the name given to the practical problem of solving SVP and CVP, or more generally of finding reasonably short vectors and reasonably good bases. One of the best lattice reduction methods currently known are based on the LLL Algorithm of Lenstra, Lenstra, and Lovász. Stoica Liviu Faculty of Computer Science 09-11-2017

LLL finds moderately short lattice vectors in polynomial time LLL finds moderately short lattice vectors in polynomial time. This suffices for many applications. However, finding very short (or very close) vectors is currently still exponentially hard. It is worth noting that current lattice reduction algorithms such as LLL are highly sequential. Thus they are not distributable (although somewhat parallelizable). In recent years there has been progress solving CVP and SVP with quantum algorithms. Stoica Liviu Faculty of Computer Science 09-11-2017

Gram-Schmidt Orthogonalization Let 𝐵 = { 𝑣 1 , …, 𝑣 𝑛 } be a basis for ℝ 𝑛 we can turn 𝐵 into 𝐵 ∗ , where the vectors from 𝐵 ∗ are pairwise orthogonal. 𝑣 1 ∗ = 𝑣 1 𝑣 2 ∗ = 𝑣 2 − 𝑣 2 𝑣 1 ∗ 𝑣 1 ∗ 2 𝑣 1 ∗ ⋮ 𝑣 𝑛 ∗ = 𝑣 𝑛 − 𝑣 𝑛 𝑣 𝑛−1 ∗ 𝑣 𝑛−1 ∗ 2 𝑣 𝑛−1 ∗ − 𝑣 𝑛 𝑣 𝑛−2 ∗ 𝑣 𝑛−2 ∗ 2 𝑣 𝑛−2 ∗ − …− 𝑣 𝑛 𝑣 1 ∗ 𝑣 1 ∗ 2 𝑣 1 ∗ Stoica Liviu Faculty of Computer Science 09-11-2017

The Size and Quasiorthogonality Conditions (The good basis conditions) If some coefficient in the Gram-Schmidt process satisfies 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ 2 > 1 2 Then we replace 𝑣 𝑖 by 𝑣 𝑖 −𝑎 𝑣 𝑗 for an appropriate a ∈ ℤ That makes the coefficient smaller. We say that the basis satisfies the size condition if 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ 2 ≤ 1 2 for all j < i Stoica Liviu Faculty of Computer Science 09-11-2017

Quasiorthogonality Condition: 𝑣 𝑖+1 ∗ ≥ 3 2 | 𝑣 𝑖 ∗ | It imposes that the angle between the two vectors is larger (or equal to) than 60˚. Theorem (Hermite) : Every lattice has a basis satisfying both the Size Condition and the Quasiorthogonality Condition. Stoica Liviu Faculty of Computer Science 09-11-2017

So we relax the Quasiorthogonality Condition to Unfortunately, the best known algorithms to find such a basis are exponential in the dimension. So we relax the Quasiorthogonality Condition to 𝑣 𝑖+1 ∗ ≥ 3 4 − 𝑣 𝑖+1 𝑣 𝑖 ∗ 2 𝑣 𝑖 ∗ 2 | 𝑣 𝑖 ∗ | This is called the Lovász Condition. Stoica Liviu Faculty of Computer Science 09-11-2017

The LLL Algorithm Theorem (Lenstra, Lenstra, Lovász) There is a polynomial time algorithm that finds a basis for L satisfying both the Size Condition and the Lovász Condition. Such bases are called LLL Reduced Bases. [1] k = 2 [2] LOOP WHILE k < n [3] Replace 𝒗 𝟏 , ..., 𝒗 𝒌 with linear combinations so the Size Condition is true [4] If the Lovász Condition is false [5] Swap 𝒗 𝒌 ↔ 𝒗 𝒌−𝟏 and set k = k − 1 [6] Else [7] Set k = k + 1 [8] If k = n, then basis is LLL reduced [9] END LOOP The Basic LLL Algorithm Stoica Liviu Faculty of Computer Science 09-11-2017

Variants and Improvements to LLL Definition A KZ Reduced Basis: is a basis that satisfies both the Size Condition and the following: For all i, 𝑣 𝑖 ∗ is the shortest vector in the projection of L onto Span( 𝑣 1 , …, 𝑣 𝑛 ). Blockwise Korkine-Zolotarev Reduction Algorithm (BKZ-LLL) Instead of swapping 𝑣 𝑘 and 𝑣 𝑘−1 in Step 5 of LLL, instead take the lattice spanned by a block of vectors 𝑣 𝑖 , 𝑣 𝑖+1 , …, 𝑣 𝑖+𝛽+1 and replace them with a KZ Reduced Basis. Stoica Liviu Faculty of Computer Science 09-11-2017

Operating Characteristics of BKZ An advantage of BKZ is that the output improves as one increases the block size β. Indeed, taking β = n gives a full KZ reduced basis for L, so it solves SVP. Of course, the improved output comes at a cost of increased running time. Stoica Liviu Faculty of Computer Science 09-11-2017

Lattice-Based Cryptography Why Attempt To Use Lattices To Build Cryptosystems? There are some speed advantages (in contrast with “classical” cryptosystems like Integer Factorization Problems for example) available from lattices operations, combined with the fact that SVP and CVP are well-studied hard problems that make it worth looking into cryptosystems whose security depends more directly on SVP and CVP Stoica Liviu Faculty of Computer Science 09-11-2017

The Ajtai-Dwork Lattice Cryptosystem Ajtai and Dwork (1995) described a lattice-based public key cryptosystem whose security relies on the difficulty of solving CVP in certain class of lattices ℒ 𝑨𝑫 . They proved that breaking their system in the average case (i.e. for a randomly chosen lattice of dimension m in ℒ 𝑨𝑫 ) is as difficult as solving SVP for all lattices of dimension n for a certain n that depends on m). This average case-worst case equivalence is a theoretical cryptographic milestone, but unfortunately the Ajtai-Dwork cryptosystem is impractical. Inspired by the work of Ajtai and Dwork, a more practical lattice-based cryptosystem was proposed in 1996 by Goldreich, Goldwasser, and Halevi. Stoica Liviu Faculty of Computer Science 09-11-2017

The GGH Public Key Cryptosystem Key Creation: Choose a lattice L and Private Key = { 𝒗 𝟏 , …, 𝒗 𝒏 } a good (short) basis Public Key = { 𝒘 𝟏 , …, 𝒘 𝒏 } a bad (long) basis Encryption: The plaintext m is a binary vector. Also choose a small random “perturbation” vector r. The ciphertext is: 𝑒 = 𝑚 1 𝑤 1 + ··· + 𝑚 𝑛 𝑤 𝑛 + 𝑟. Note that the ciphertext vector e is not in the lattice L. Decryption: Find a vector u in L that is closest to e. If r is small enough, then 𝑢= 𝑚 1 𝑤 1 + … + 𝑚 𝑛 𝑤 𝑛 so solving CVP for e in L will recover m. The private good basis can be used to find u. First write 𝑒= 𝜇 1 𝑣 1 + … + 𝜇 𝑛 𝑣 𝑛 using real 𝜇 1 , …, 𝜇 𝑛 𝜖 ℝ Then round 𝜇 1 , …, 𝜇 𝑛 to the nearest integer: 𝜇 1 𝑣 1 + …+ 𝜇 𝑛 𝑣 𝑛 will equal u Stoica Liviu Faculty of Computer Science 09-11-2017

Further reading Orthogonalized Lattice Enumeration for Solving SVP https://eprint.iacr.org/2016/950.pdf A Lattice Basis Reduction Algorithm http://www.cas.mcmaster.ca/~qiao/publications/LQZ10.pdf Finding shortest lattice vectors faster using quantum search https://eprint.iacr.org/2014/907.pdf Space-efficient classical and quantum algorithms for the shortest vector problem https://arxiv.org/pdf/1709.00378.pdf Stoica Liviu Faculty of Computer Science 09-11-2017

Algorithms for the Shortest and Closest Lattice Vector Problems http://perso.ens-lyon.fr/damien.stehle/downloads/SVPCVP.pdf Faster exponential time algorithms for the shortest vector problem https://cseweb.ucsd.edu/~daniele/papers/Sieve.pdf A KZ Reduction Algorithm https://arxiv.org/pdf/1702.08152.pdf Stoica Liviu Faculty of Computer Science 09-11-2017

THANK YOU FOR YOUR ATTENTION!