Lattice-Based Cryptography

Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)

Learning With Errors Problem Find the secret s a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq

(Decisional) Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq

LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)

LWE < d-LWE (a, b)=(a,<a,s>+e) pick random r in Zq v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g≠<v,s>, then g=<v,s>+g' (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg') =(a+rv,<a+rv,s>+e+rg') r is independent of a+rv, s, e so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q

Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)

Learning With Errors Problem + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random

Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)

Proof of Semantic Security b r A r b + = + z(q/2) If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z

Decryption A s e b r A r b + = n m + z(q/2) Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

Lattices in Practice Lattices have some great features Very strong security proofs The schemes are fairly simple Relatively efficient But there is a major drawback Schemes have very large keys

Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am h(z1...zm) = z1 + z2 + … + zm Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits

Public-Key Cryptosystem (Textbook) RSA: Key-size: ≈ 2048 bits Ciphertext length (2048 bit message): ≈ 2048 bits LWE-based scheme: Key-size: ≈ 600,000 bits Ciphertext length (2048 bit message): ≈ 40,000 bits

Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 h(z) = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 m 1 1 Require O(mn) storage Computing the function takes O(mn) time

A More Efficient Idea z A Now A only requires m storage 4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 1 m 1 1 Now A only requires m storage Az can be computed faster as well

(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) A More Efficient Idea A z 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

Interlude: What is Zp[x]/(xn-1)? Z = integers Zp=integers modulo p Zp[x] = polynomials with coefficients in Zp Example if p=3: 1+x, 2+x2+x1001 Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp Example if p=3 and n=4: 1+x, 2+x+x2

Operations in Zp[x]/(xn-1)? Addition: Addition of polynomials modulo p Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 Multiplication: Polynomial multiplication modulo p and xn-1 (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3

A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT

Great, a Better Hash Function! Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

But Is it Hard to Find Collisions? z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m NO!

Finding Collisions D R h h R' D'

Finding Collisions in Zqn = + 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q

Finding Collisions 4 1 2 7 7 4 1 2 = 2 7 4 1 1 2 7 4 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14

Finding Collisions = in Zqn + 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 = in Zqn + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q

Collision-Resistant Hash Function Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq

But … A z = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 n = 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 m Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r

Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions

Cyclic Lattices A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

Cyclic Lattices=Ideals in Z[x]/(xn-1) A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

(xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4

What About Hash Functions? z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m Not Collision-Resistant

A “Simple” Modification z 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 m Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

Small Integer Solution Problem (SIS) Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)

(xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L 4 3 2 1 + 6 3 -2 -7 = 10 6 -6 2.) For all v in L, -v is also in L 4 3 2 1 -4 -3 -2 -1 3.) For all v in L, its “negative rotation” is also in L -4 3 2 -1 4 1 3 2 1 -4 -4 3 2 -1 1 -3 -4 3 2 -1 1 -3 -2

So How Efficient are the Ideal Lattice Constructions? Collision-resistant hash functions More efficient than any other provably-secure hash function Almost as efficient as the ones used in practice Can only prove collision-resistance Signature schemes Theoretically, very efficient In practice, efficient Key length ≈ 20,000 bits Signature length ≈ 50,000 bits