Lattice-Based Cryptography Introduction to Lattice-Based Cryptography Vadim Lyubashevsky Tel-Aviv University September 9, 2009
Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard Diffie-Hellman problem is hard Decisional Diffie-Hellman problem is hard Problems involving Elliptic Curves are hard Many assumptions
Why Do We Need More Assumptions? Number theoretic functions are rather slow Factoring, Discrete Log, Elliptic curves are “of the same flavor” Quantum computers break all number theoretic assumptions
Lattice-Based Cryptography Seemingly very different assumptions from factoring, discrete log, elliptic curves Simple descriptions and implementations Very parallelizable Resists quantum attacks (we think) Security based on worst-case problems
Average-Case Assumptions vs. Worst-Case Assumptions Example: Want to base a scheme on factoring Need to generate a “hard-to-factor” N How? Need a “hard distribution” Wishful thinking: Factoring random numbers from some distribution is as hard as factoring any number
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Lattice: A discrete additive subgroup of Rn Lattices Lattice: A discrete additive subgroup of Rn
Lattices Basis: A set of linearly independent vectors that generate the lattice.
Lattices Basis: A set of linearly independent vectors that generate the lattice.
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors
Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors
Bounded Distance Decoding (BDD) Given a target vector that's close to the lattice, find the nearest lattice vector
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem (SIS) Learning With Errors SIVP BDD Worst-Case quantum Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm = in Zqn Observations: If size of zi is not restricted, then the problem is trivial Immediately implies a collision-resistant hash function
Small Integer Solution Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Collision-Resistant Hash Function Given: Random vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression Collision: a1z1 + … + amzm = a1y1 + … + amym So, a1(z1-y1) + … + am(zm-ym) = 0 and zi-yi are in {-1,0,1}
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem (SIS) Learning With Errors SIVP BDD Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
For Any Lattice ... Consider the distribution obtained by: 1. Pick a uniformly random lattice point 2. Sample from a Gaussian distribution centered at the lattice point
One-Dimensional Gaussian Distribution
Two-Dimensional Gaussian Distribution Image courtesy of wikipedia
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Gaussians on Lattice Points Image courtesy of Oded Regev
Shortest Independent Vector Problem (SIVP) Find n short linearly independent vectors Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the longest vector in SIVP solution
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction 2 1 2 1 2 1 1 2 1 2 1 2 1 Important: All lattice points have label (0,0) and All points labeled (0,0) are lattice points (0n in n dimensional lattices)
How to use the SIS oracle to find a short vector in any lattice: 2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point
How to use the SIS oracle to find a short vector in any lattice: 2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point
All the samples are uniform in Zqn 2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point All the samples are uniform in Zqn
How to use the SIS oracle to find a short vector in any lattice: 2 1 2 1 2 1 1 2 1 2 1 2 1 How to use the SIS oracle to find a short vector in any lattice: Repeat m times: Pick a random lattice point Gaussian sample a point around the lattice point Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
s1z1+...+smzm is a lattice vector 2 1 2 1 2 1 1 2 1 2 1 2 1 Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi s1z1+...+smzm is a lattice vector (v1+r1)z1+...+(vm+rm)zm is a lattice vector (v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice vector So r1z1+...+rmzm is a lattice vector = si vi + ri = si
So r1z1+...+rmzm is a lattice vector 2 1 2 1 2 1 1 2 1 2 1 2 1 Give the m “Zqn samples” a1,...,am to the SIS oracle Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0 = vi So r1z1+...+rmzm is a lattice vector ri are short vectors, zi are in {-1,0,1} So r1z1+...+rmzm is a short lattice vector = si vi + ri = si
Some Technicalities You can’t sample a “uniformly random” lattice point In the proofs, we work with Rn / L rather than Rn So you don't need to sample a random point lattice point What if r1z1+...+rmzm is 0? Can show that with high probability it isn't Given an si, there are multiple possible ri Gaussian sampling doesn’t give us points on the grid You can round to a grid point Must be careful to bound the “rounding distance”
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Learning With Errors Problem Distinguish between these two distributions: Oracle 1 Oracle 2 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … a1, b1 a2, b2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq ai are chosen randomly from Zqn bi are chosen randomly from Zq
Learning With Errors Problem . . . a1 s e b a2 + = am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q)
Learning With Errors Problem + = A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random
Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) A s e b + = Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r A r b + z(q/2)
Proof of Semantic Security b r A r b + = + z(q/2) If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z
Decryption A s e b r A r b + = n m + z(q/2) Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
Lattices in Practice Lattices have some great features Very strong security proofs The schemes are fairly simple Relatively efficient But there is a major drawback Schemes have very large keys
Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: a1 a2 am h(z1...zm) = z1 + z2 + … + zm Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem (Textbook) RSA: Key-size: ≈ 2048 bits Ciphertext length (2048 bit message): ≈ 2048 bits LWE-based scheme: Key-size: ≈ 600,000 bits Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency z A 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 h(z) = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 n(log n) 1 1 Require O(n2) storage Computing the function takes O(n2) time
A More Efficient Idea z A Now A only requires n(log n) storage 4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 1 n(log n) 1 1 Now A only requires n(log n) storage Az can be computed faster as well
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) A More Efficient Idea A z 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Interlude: What is Zp[x]/(xn-1)? Z = integers Zp=integers modulo p Zp[x] = polynomials with coefficients in Zp Example if p=3: 1+x, 2+x2+x1001 Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp Example if p=3 and n=4: 1+x, 2+x+x2
Operations in Zp[x]/(xn-1)? Addition: Addition of polynomials modulo p Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 Multiplication: Polynomial multiplication modulo p and xn-1 (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3
Multiplication in Zp[x]/(xn-1) as a Matrix/Vector Product Have polynomials f and g=g0+g1x+g2x2+...gn-1xn-1 f fx fx2 fx3 g0 g1 = g0f+g1fx+g2fx2+g3fx3 = f(g0+g1x+g2x2+g3x3) = fg g2 g3
A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 7 4 1 2 13 10 7 1 7 4 1 2 13 10 7 1 1 + = 2 7 4 1 1 13 10 7 2 7 4 1 1 13 10 7 1 1 2 7 4 7 1 13 10 1 1 2 7 4 1 7 1 13 10 1 1 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT
Great, a Better Hash Function! Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!
But Is it Hard to Find Collisions? z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 n(log n) NO!
Finding Collisions D R h h R' D'
Finding Collisions in Zqn = + 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 in Zqn = + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q
Finding Collisions 4 1 2 7 7 4 1 2 = 2 7 4 1 1 2 7 4 4 1 2 7 1 14 7 4 1 2 1 14 = 2 7 4 1 1 14 1 2 7 4 1 14
Finding Collisions = in Zqn + 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 = in Zqn + 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q
Collision-Resistant Hash Function Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: a1 a2 am z1 + z2 + … + zm in Zqn = A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq
But … A z = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 n = 2 7 4 1 1 13 10 7 7 1 2 7 4 7 1 13 10 4 n(log n) Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r
Lattice Problems for “Cyclic Lattices” Worst-Case Average-Case One-Way Functions
Cyclic Lattices A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4
Cyclic Lattices=Ideals in Z[x]/(xn-1) A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4
(xn-1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, a cyclic shift of v is also in L -1 -1 -1 -1 -1 -1 2 2 2 2 2 2 3 3 3 3 3 3 -4 -4 -4 -4 -4 -4 -4 -1 2 3 -1 -1 3 2 2 -4 -1 3 3 2 -4 -4 -1 -1 -1 -1 2 -1 3 2 2 2 2 2 3 -4 3 3 3 3 -4 -1 -4 -4 -4 -4
What About Hash Functions? z 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 n 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 n(log n) Not Collision-Resistant
A “Simple” Modification z 4 -1 -2 -7 10 -7 -1 -13 7 4 -1 -2 13 10 -7 -1 n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 n(log n) Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0
Small Integer Solution Problem (SIS) Lattice Problems for (xn+1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt)
(xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 = -8 6 2 2.) For all v in L, -v is also in L -1 2 3 -4 1 -2 -3 4 3.) For all v in L, its “negative rotation” is also in L -4 3 2 -1 4 1 3 2 1 -4 -4 3 2 -1 1 -3 -4 3 2 -1 1 -3 -2
So How Efficient are the Ideal Lattice Constructions? Collision-resistant hash functions More efficient than any other provably-secure hash function Almost as efficient as the ones used in practice Can only prove collision-resistance Signature schemes Theoretically, very efficient In practice, efficient Key length ≈ 20,000 bits Signature length ≈ 50,000 bits
Future Directions Build more primitives (for ideas, go to http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices
Small Integer Solution Problem (SIS) Learning With Errors Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Cryptomania)
Future Directions Build more primitives (for inspiration, go to http://cseweb.ucsd.edu/users/mihir/crypto-topic-generator.html) Build “theoretically efficient” primitives based on lattices Build “cryptomania” primitives on the same assumption as “minicrypt” primitives Build practical primitives using ideal lattices Determine the hardness of ideal lattice problems
References (General Lattices) Worst-Case to Average-Case reductions: To SIS [Ajt96 ,..., MicReg04] To LWE [Reg05] Minicrypt Constructions Hash functions [Ajt96 ,..., MicReg04] ID Schemes [MicVad03, Lyu08, KawTanXag08] Signature Schemes [LyuMic08, GenPeiVai08] Cryptomania Constructions PKE [AjtDwo97,Reg03,Reg05,GenPeiVai08,PeiWat08,Pei09] OT [PeiVai08] Reductions Between Lattice Problems (relevant to this talk) [Ban93,Reg05,LyuMic09]
References (Ideal Lattices) Worst-Case to Average-Case Reductions [Mic02,PeiRos06,LyuMic06] Hash Functions [PeiRos06,LyuMic06,LyuMicPeiRos08] ID schemes [Lyu09] Signature Schemes [LyuMic08,Lyu09,SteSteTanXag09] PKE [Gen09,SteSteTanXag09]