Download presentation
Presentation is loading. Please wait.
Published byMarjorie Pearson Modified over 5 years ago
1
Lattices. Svp & cvp. lll algorithm. application in cryptography
Stoica Liviu Faculty of Physics
2
CONTENTS Introduction Lattices an example SVP and CVP approximating CVP Using a basis to solve CVP and svp fundamental lattice theorems lattice reduction Gram-Schmidt Orthogonalization “the good basis conditions” the lll algorithm variants and improvEments to lll ( BKZ algorithm ) lattice based cryptography(ggh public key cryptosystem ) further reading Stoica Liviu Faculty of Computer Science
3
Why are lattice problems useful in cryptography ?
• Underlying every public key cryptosystem is a hard mathematical problem. The best known examples are: RSA Integer Factorization Problem Diffie-Hellman Discrete Logarithm Problem in F ECC Discrete Logarithm Problem on Elliptic Curves * q Stoica Liviu Faculty of Computer Science
4
• There are many other hard mathematical problems that one might use for cryptography.
• An appealing class of problems involves finding closest and shortest vectors in lattices. • The general Closest Vector Problem (CVP) is known to be NP-hard and the Shortest Vector Problem (SVP) is NP-hard under a randomized reduction hypothesis. Stoica Liviu Faculty of Computer Science
5
Lattices 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ }
Definition: A lattice L of dimension n is a maximal discrete subgroup of ℝ 𝑛 . A lattice is the ℤ-linear span of a set of n linearly independent vectors: 𝐿= 𝑎 1 𝑣 1 + 𝑎 2 𝑣 2 +…+ 𝑎 𝑛 𝑣 𝑛 𝑎 𝑖 ∈ ℤ } Fundamental domain on L is: ℱ 𝐿 = 𝑡 1 𝑣 1 +…+ 𝑡 𝑛 𝑣 𝑛 ≤ 𝑡 𝑖 <1 } The Discriminant (the “volume”) of L is: 𝐷𝑖𝑠𝑐 𝐿 =𝑉𝑜𝑙𝑢𝑚𝑒 ℱ 𝐿 =det( 𝑣 1 𝑣 2 …| 𝑣 𝑛 ) Stoica Liviu Faculty of Computer Science
6
A two dimensional example
Stoica Liviu Faculty of Computer Science
7
The Two Fundamental Hard Lattice Problems
Closest Vector Problem (CVP) Given a vector t ∈ ℝ 𝑛 not in L, find a vector in L that is closest to t. Shortest Vector Problem (SVP) Find a shortest nonzero vector in L. Stoica Liviu Faculty of Computer Science
8
The Approximate Closest Vector Problem
- is to find a vector v𝜖L so that ||v – t|| is small. For example: 𝑣−𝑡 ≤ 𝑘 𝑚𝑖𝑛 𝒘∈𝐿 | 𝑤−𝑡 | For a small k. Stoica Liviu Faculty of Computer Science
9
Using a basis to try to solve the Closest Vector Problem
Stoica Liviu Faculty of Computer Science
10
Fundamental Lattice Theorems
Hademard’s Inequality. Let 𝑣 1 …. 𝑣 𝑛 be any basis for L. Then 𝐷𝑖𝑠𝑐 𝐿 ≤ 𝑣 1 ∗ 𝑣 2 ∗…∗| 𝑣 𝑛 | Theorem (Hermite): There is a constant γ 𝑛 so that for all lattices L of dimension n: There is a nonzero vector v ∈ L satisfying: 𝑣 ≤ 𝛾 𝑛 𝐷𝑖𝑠𝑐(𝐿) 1/𝑛 There is a basis for L satisfying 𝑣 1 ∗…∗ 𝑣 𝑛 ≤ 𝛾 𝑛 𝑛 2 𝐷𝑖𝑠𝑐(𝐿) 𝛾 𝑛 it is called Hermite’s constant: For large n it is bounded by 𝑛 2𝜋ℯ ≤ 𝛾 𝑛 ≤ 𝑛 𝜋ℯ Stoica Liviu Faculty of Computer Science
11
Theorem (Minkowski): Let L be a lattice of dimension n.
Then every compact convex symmetric region R of volume at least 2 𝑛 Disc(L) contains a nonzero lattice point. The region R in Minkowski’s Theorem is assumed to have the following three properties: Compact: closed and bounded Convex: v, w ∈ R ⇒ line segment 𝑣𝑤 ⊂𝑅 Symmetric: v ∈ R ⇒ −v ∈ R Stoica Liviu Faculty of Computer Science
12
Lattice Reduction and the LLL Algorithm
Lattice Reduction is the name given to the practical problem of solving SVP and CVP, or more generally of finding reasonably short vectors and reasonably good bases. One of the best lattice reduction methods currently known are based on the LLL Algorithm of Lenstra, Lenstra, and Lovász. Stoica Liviu Faculty of Computer Science
13
LLL finds moderately short lattice vectors in polynomial time
LLL finds moderately short lattice vectors in polynomial time. This suffices for many applications. However, finding very short (or very close) vectors is currently still exponentially hard. It is worth noting that current lattice reduction algorithms such as LLL are highly sequential. Thus they are not distributable (although somewhat parallelizable). In recent years there has been progress solving CVP and SVP with quantum algorithms. Stoica Liviu Faculty of Computer Science
14
Gram-Schmidt Orthogonalization
Let 𝐵 = { 𝑣 1 , …, 𝑣 𝑛 } be a basis for ℝ 𝑛 we can turn 𝐵 into 𝐵 ∗ , where the vectors from 𝐵 ∗ are pairwise orthogonal. 𝑣 1 ∗ = 𝑣 1 𝑣 2 ∗ = 𝑣 2 − 𝑣 2 𝑣 1 ∗ 𝑣 1 ∗ 𝑣 1 ∗ ⋮ 𝑣 𝑛 ∗ = 𝑣 𝑛 − 𝑣 𝑛 𝑣 𝑛−1 ∗ 𝑣 𝑛−1 ∗ 𝑣 𝑛−1 ∗ − 𝑣 𝑛 𝑣 𝑛−2 ∗ 𝑣 𝑛−2 ∗ 𝑣 𝑛−2 ∗ − …− 𝑣 𝑛 𝑣 1 ∗ 𝑣 1 ∗ 𝑣 1 ∗ Stoica Liviu Faculty of Computer Science
15
The Size and Quasiorthogonality Conditions (The good basis conditions)
If some coefficient in the Gram-Schmidt process satisfies 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ > 1 2 Then we replace 𝑣 𝑖 by 𝑣 𝑖 −𝑎 𝑣 𝑗 for an appropriate a ∈ ℤ That makes the coefficient smaller. We say that the basis satisfies the size condition if 𝑣 𝑖 𝑣 𝑗 ∗ 𝑣 𝑗 ∗ ≤ for all j < i Stoica Liviu Faculty of Computer Science
16
Quasiorthogonality Condition:
𝑣 𝑖+1 ∗ ≥ | 𝑣 𝑖 ∗ | It imposes that the angle between the two vectors is larger (or equal to) than 60˚. Theorem (Hermite) : Every lattice has a basis satisfying both the Size Condition and the Quasiorthogonality Condition. Stoica Liviu Faculty of Computer Science
17
So we relax the Quasiorthogonality Condition to
Unfortunately, the best known algorithms to find such a basis are exponential in the dimension. So we relax the Quasiorthogonality Condition to 𝑣 𝑖+1 ∗ ≥ − 𝑣 𝑖+1 𝑣 𝑖 ∗ 𝑣 𝑖 ∗ | 𝑣 𝑖 ∗ | This is called the Lovász Condition. Stoica Liviu Faculty of Computer Science
18
The LLL Algorithm Theorem (Lenstra, Lenstra, Lovász) There is a polynomial time algorithm that finds a basis for L satisfying both the Size Condition and the Lovász Condition. Such bases are called LLL Reduced Bases. [1] k = 2 [2] LOOP WHILE k < n [3] Replace 𝒗 𝟏 , ..., 𝒗 𝒌 with linear combinations so the Size Condition is true [4] If the Lovász Condition is false [5] Swap 𝒗 𝒌 ↔ 𝒗 𝒌−𝟏 and set k = k − 1 [6] Else [7] Set k = k + 1 [8] If k = n, then basis is LLL reduced [9] END LOOP The Basic LLL Algorithm Stoica Liviu Faculty of Computer Science
19
Variants and Improvements to LLL
Definition A KZ Reduced Basis: is a basis that satisfies both the Size Condition and the following: For all i, 𝑣 𝑖 ∗ is the shortest vector in the projection of L onto Span( 𝑣 1 , …, 𝑣 𝑛 ). Blockwise Korkine-Zolotarev Reduction Algorithm (BKZ-LLL) Instead of swapping 𝑣 𝑘 and 𝑣 𝑘−1 in Step 5 of LLL, instead take the lattice spanned by a block of vectors 𝑣 𝑖 , 𝑣 𝑖+1 , …, 𝑣 𝑖+𝛽+1 and replace them with a KZ Reduced Basis. Stoica Liviu Faculty of Computer Science
20
Operating Characteristics of BKZ
An advantage of BKZ is that the output improves as one increases the block size β. Indeed, taking β = n gives a full KZ reduced basis for L, so it solves SVP. Of course, the improved output comes at a cost of increased running time. Stoica Liviu Faculty of Computer Science
21
Lattice-Based Cryptography
Why Attempt To Use Lattices To Build Cryptosystems? There are some speed advantages (in contrast with “classical” cryptosystems like Integer Factorization Problems for example) available from lattices operations, combined with the fact that SVP and CVP are well-studied hard problems that make it worth looking into cryptosystems whose security depends more directly on SVP and CVP Stoica Liviu Faculty of Computer Science
22
The Ajtai-Dwork Lattice Cryptosystem
Ajtai and Dwork (1995) described a lattice-based public key cryptosystem whose security relies on the difficulty of solving CVP in certain class of lattices ℒ 𝑨𝑫 . They proved that breaking their system in the average case (i.e. for a randomly chosen lattice of dimension m in ℒ 𝑨𝑫 ) is as difficult as solving SVP for all lattices of dimension n for a certain n that depends on m). This average case-worst case equivalence is a theoretical cryptographic milestone, but unfortunately the Ajtai-Dwork cryptosystem is impractical. Inspired by the work of Ajtai and Dwork, a more practical lattice-based cryptosystem was proposed in 1996 by Goldreich, Goldwasser, and Halevi. Stoica Liviu Faculty of Computer Science
23
The GGH Public Key Cryptosystem
Key Creation: Choose a lattice L and Private Key = { 𝒗 𝟏 , …, 𝒗 𝒏 } a good (short) basis Public Key = { 𝒘 𝟏 , …, 𝒘 𝒏 } a bad (long) basis Encryption: The plaintext m is a binary vector. Also choose a small random “perturbation” vector r. The ciphertext is: 𝑒 = 𝑚 1 𝑤 ··· + 𝑚 𝑛 𝑤 𝑛 + 𝑟. Note that the ciphertext vector e is not in the lattice L. Decryption: Find a vector u in L that is closest to e. If r is small enough, then 𝑢= 𝑚 1 𝑤 1 + … + 𝑚 𝑛 𝑤 𝑛 so solving CVP for e in L will recover m. The private good basis can be used to find u. First write 𝑒= 𝜇 1 𝑣 1 + … + 𝜇 𝑛 𝑣 𝑛 using real 𝜇 1 , …, 𝜇 𝑛 𝜖 ℝ Then round 𝜇 1 , …, 𝜇 𝑛 to the nearest integer: 𝜇 1 𝑣 1 + …+ 𝜇 𝑛 𝑣 𝑛 will equal u Stoica Liviu Faculty of Computer Science
24
Further reading Orthogonalized Lattice Enumeration for Solving SVP
A Lattice Basis Reduction Algorithm Finding shortest lattice vectors faster using quantum search Space-efficient classical and quantum algorithms for the shortest vector problem Stoica Liviu Faculty of Computer Science
25
Algorithms for the Shortest and Closest Lattice Vector Problems
Faster exponential time algorithms for the shortest vector problem A KZ Reduction Algorithm Stoica Liviu Faculty of Computer Science
26
THANK YOU FOR YOUR ATTENTION!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.