New Lattice Based Cryptographic Constructions Oded Regev
Lattices Basis: v1,…,vn vectors in Rn The lattice is a1v1+…+anvn for all integer a1,…,an. What is the shortest vector u ? v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1
Lattices – not so easy 3v1-4v2 v1 v2
f(n)-unique-SVP (shortest vector problem) Promise: the shortest vector u is shorter by a factor of f(n) Algorithm for 2n-unique SVP [LLL82,Schnorr87] Believed to be hard for any nc 1 f(n) 1 nc 2n believed hard easy
History Geometric objects with rich structure Early work by Gauss 1801, Hermite 1850, Minkowski 1896 More recent developments: LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82] Factoring rational polynomials Solving integer programs in a fixed dimension Breaking knapsack cryptosystems Ajtai’s average case connection [Ajtai96] Lattice based cryptosystems
Question From which distribution is the following sequence taken? 478, 21, 431, 897, 150, 701, 929, 232 Uniform? Prob 1 1000 Prob Or wavy? 1 1000
The d,γ-wavy Distribution Periodization of the normal distribution R=2^(2n2) Number of periods is d (usually integer) Ratio of period to standard dev. is γ distd : {0,…,R-1} [0,½] is the normalized distance from the nearest peak =γ d=7 Prob R-1
Main Theorem For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)
Average-case Theorem For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions for a non-negligible fraction of values d in [2^(n2),2•2^(n^2)]
Applications of Main Theorem Public key encryption scheme Collision resistant hash function A problem in quantum computation
Cryptography ‘Standard’ cryptography: Usually based on factoring, discrete log, principal ideal problem Average case assumption Mostly broken by quantum computers Lattice based cryptography [Ajtai96,…]: Based on lattice problems Worst case assumption Still not broken by quantum computers
Application 1 Public Key Encryption (PKE) Consists of private key, public key, encryption and decryption The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97] Previously, the only lattice based PKE with worst case assumption Based on n7-unique Shortest Vector Problem
Application 1 Public Key Encryption (PKE) We construct a new lattice based PKE from the average-case theorem: Very simple description Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem Uses integer numbers, very efficient
Application 2 Collision Resistant Hash Function A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02] Our construction is The first which is not based on Ajtai’s iterative step Somewhat stronger (based on n1.5-uSVP)
Application 3 Quantum Computation Quantum computers can break cryptography based on factoring [Shor96] Based on the HSP on Abelian groups What about lattice based cryptography?
Application 3 Quantum Computation Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02] Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]
Main Theorem For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)
Proof of the Main Theorem
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction to: Decision Problem Given a n1.5-unique lattice, and a prime p>n1.5 Assume the shortest vector is: u = a1v1+a2v2+…+anvn Decide whether a1 is divisible by p
The Reduction Idea: decrease the coefficients of the shortest vector If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn . u is still in the new lattice: u = (a1/p)•pv1 + a2v2 + … + anvn The same can be done whenever p|ai for some i
The Reduction But what if p ai for all i ? | Consider the basis v1,v2-v1,v3,…,vn The shortest vector is u = (a1+a2)v1 + a2(v2-v1) + a3v3 + … + anvn The first coefficient is a1+a2 Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2 One of them is divisible by p, so we choose it and continue |
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction from: Decision Problem Given a n1.5-unique lattice, and a prime p>n1.5 Assume the shortest vector is: u = a1v1+a2v2+…+anvn Decide whether a1 is divisible by p
Reduction to: Promise Problem Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n
The reduction Input: a basis (v1,…,vn) of a n1.5 unique lattice Scale the lattice so that the shortest vector is of length 1/n Replace v1 by pv1. Let M be the resulting lattice If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n If p a1 then M has shortest vector more than n |
The input lattice L L 1/n n -u u 2u
The lattice M M The lattice M is spanned by pv1,v2,…,vn: If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn 2M : M n 1/n u
The lattice M M The lattice M is spanned by pv1,v2,…,vn: If p a1, then u M: | 2 M n -pu pu
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
Reduction from: Promise Problem Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n
n-dimensional distributions Distinguish between the distributions: ? Wavy Uniform
Dual Lattice L L* Given a lattice L, the dual lattice is L* = { x | 8y2L, <x,y>2Z } 1/5 L L* 5
L* - the dual of L L* n L n Case 1 1/n n Case 2
Reduction Choose a point randomly from L* Perturb it by a Gaussian of radius n
Creating the Distribution L* L*+ perturb Case 1 n Case 2
Analyzing the Distribution Theorem: (using [Banaszczyk’93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) Therefore, Case 1: Determined by multiples of u wavy on hyperplanes orthogonal to u Case 2: Determined by the origin uniform
Proof of Theorem For a set A in Rn, define: Poisson Summation Formula implies: Banaszczyk’s theorem: For any lattice L,
Proof of Theorem (cont.) In Case 2, the distribution obtained is very close to uniform: Because:
Proof Outline n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
n-dimensional distributions Distinguish between the distributions Given by an oracle that returns points inside a cube of side length 2n ? Wavy Uniform
Main Theorem Distinguish between the distributions: Uniform: Wavy: R-1 R-1 Wavy: R-1
Reducing to 1-dimension First attempt: sample and project to a line
Reducing to 1-dimension But then we lose the wavy structure! We should project only from points very close to the line
The solution Use the periodicity of the distribution Project on a ‘dense line’ :
The solution
The solution We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1en where K is large enough The distance between hyperplanes is n The sides are of length 2n Therefore, we choose K=2O(n) Hence, d<O(Kn)=2^(O(n2))
Done n1.5-Unique-SVP decision problem promise problem n-dim distributions Main theorem
From Worst-Case to Average-Case
Worst-case vs. Average-case Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2) For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]
Compressing The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d: Sample a from the distribution Return either a/2 or (a+R)/2 with probability ½ In general, for any real a1, we can compress d,γ-wavy into ad,γ-wavy Notice that compressing preserves the uniform distribution We show a reduction from worst-case to average-case
Reduction Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)] Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following: Choose a in {1,…,2¢2^(n2)} according to a certain distribution Compress the distribution by a Check the distinguisher’s acceptance probability If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’
Reduction Distribution is uniform: Distribution is d,γ-wavy: 1 2^(n2) After compression it is still uniform Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a Distribution is d,γ-wavy: After compression it is in the good range with some probability Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences 1 2^(n2) 2¢2^(n2) … … d
Application 1 Public Key Encryption Scheme
PKE – Description Let m=2log2R=4n2 Private key: Public key: A real number y chosen uniformly in [2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m) Public key: Choose integers A={a1,…,am} from the y,γ-wavy distribution with γ=n1+ε Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)
PKE – Description (cont.) Private key: y Public key: A={a1,…,am} Encryption: Bit 0: a number chosen uniformly in {0,…,R-1} Bit 1: the sum of a random subset of A mod R Decryption of w: If disty(w)<1/50 then 1 otherwise 0
PKE – Correctness Encryption of the bit 0: Encryption of the bit 1: With probability 96%, disty(Sai)>1/50 These errors can be avoided Encryption of the bit 1: For a subset S, with high probability, disty(Sai)<1/100 Using Sai < m¢R, disty(Sai mod R)<1/50
PKE - Security Enc(0) ? Enc(1) public key {a1,…,am} Enc(0)~ Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences! Enc(0) ? Enc(1) public key {a1,…,am} uniform {a1,…,am} Enc(0)~ Enc(1)
PKE – Security Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP) Proof: Follows from the average-case theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])
Application 2 Collision Resistant Hash Function
Collision Resistant Hash Function Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then: b1,…,bm{0,1}, f(b1,…,bm)=Σbiai mod R We will see a simpler proof based on n2.5+ε-uSVP
Collision Resistant Hash Function Assume there exists a collision finding algorithm C I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that Σaici = 0 (mod R)
Collision Resistant Hash Function We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C Choose z uniformly from {0,…,R-1} With probability 0.9, distd(z) > 1/20 Repeat the following enough times: Choose a1,…,am from the unknown distribution Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m} If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’
Correctness Distribution is uniform: a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m Distribution is d,γ-wavy: W.h.p., i{1,…,m}, distd(ai) < 1/(100n2) For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2) Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0
Application 3 Quantum Computation – The Dihedral HSP
Hidden Subgroup Problem Given a function that is constant and distinct on cosets of HG, find H Solved for Abelian groups Also for certain non-Abelian groups [RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…] Still open for many groups. In particular: Symmetric group Dihedral group (ZNZ2)
Solving Dihedral HSP Two approaches: Ettinger and Høyer ’00 Reduction to “Period finding from samples” R ’02, Kuperberg ‘03 Reduction to average case subset sum
Solving Dihedral HSP Idea of Ettinger and Høyer: Reduce to “Hidden Translation on ZN”: Given an oracle that outputs states of the form |xi+|x+di where x is arbitrary and d is fixed, find d Take the Fourier transform Measure
Period Finding from Samples Find the period of the following (cos2) distribution by sampling: [EH] showed that there is enough information in a polynomial number of samples Open question in [EH]: is there an efficient solution to this problem? R-1
Reduction Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution
Guess the period and add noise
Reduction Corollary: finding the period of the cos2 distribution is hard Proof: Since all cos2 distributions look like uniform, they all look the same
Conclusion Main theorem Average case form Applications Strong public key encryption scheme Collision resistant hash function Solution to an open question in quantum computation Other applications?