Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-based Cryptography

Published byMiguel Emery Modified over 11 years ago

Similar presentations

Presentation on theme: "Lattice-based Cryptography"— Presentation transcript:

1 Lattice-based Cryptography
Oded Regev Tel-Aviv University

2 Outline Introduction to lattices Survey of lattice-based cryptography
Hash functions [Ajtai96,…] Public-key cryptography [AjtaiDwork97,…] Construction of a simple lattice-based hash function Open Problems

3 Lattice For vectors v1,…,vn in Rn we define the lattice generated by them as L={a1v1+…+anvn | ai integers} We call v1,…,vn a basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1

4 History Geometric objects with rich structure
Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. Recently, many interesting applications in computer science. Some highlights: LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]. Used for: Factoring rational polynomials, Solving integer programs in a fixed dimension, Breaking knapsack cryptosystems. Cryptanalysis: Coppersmith’s attacks on RSA Cryptography: Ajtai’s one-way functions and the average case connection [Ajtai96] Lattice-based cryptosystems [AjtaiDwork97] Related to Math, CS, physics… Many more works that I don’t mention LLL gives a very bad approximation The reason lattices are interesting, especially in cryptography: hard problems with lots of structure Ajtai work resulted in many papers, even a recent book % he proved that the problem is hard on average case: a random instance is hard as a worst case instance

5 Shortest Vector Problem (SVP)
SVP: given a lattice, find a shortest (nonzero) vector -approximate SVP: given a lattice, find a vector of length at most  times the shortest Other lattice problems: SIVP, SBP, etc. v2 v1 3v2-4v1

6 Lattice Problems Seem Hard
Conjecture: for any =poly(n), -approximate SVP is hard Best known algorithm runs in time 2n [AjtaiKumarSivakumar01] On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85] NP-hard for sub-polynomial  [Ajtai97,Micciancio01,Khot04,HavivR07] Explain the importance of average case hardness – factoring is easy 100003*2=200006 1 2log1-²n n n 2n loglogn/logn NP∩coNP crypto NP-hard P

7 Survey of Lattice-based Cryptography

8 Why use lattice-based cryptography
Provably secure Security based on a worst-case problem Based on hardness of lattice problems (Still) Not broken by quantum algorithms Very simple computations Can do more things ‘Standard’ cryptography Not always provable… Security based on an average-case problem Based on hardness of factoring, discrete log, etc. Broken by quantum algorithms Require modular exponentiation etc. Explain the importance of average case hardness – factoring is easy 100003*2=200006

9 Provable Security Reduce solving a hard problem to breaking the cryptographic function A security proof gives a strong evidence that our cryptographic function has no fundamental flaws Can also give hints as to choice of parameters Example: One-wayness of modular squaring Somehow choose N=pq for two large primes p,q f(x)=x2 mod N If we can compute square roots then we can factor N Explain the importance of average case hardness – factoring is easy 100003*2=200006

10 Average-case hardness is not so nice…
How do you pick a “good” N in RSA? Just pick p,q as random large primes and set N=pq? (1978) Largest prime factors of p-1,q-1 should be large (1981) p+1 and q+1 should have a large prime factor (1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors (1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors Bottom line: currently, none of this is relevant Explain the importance of average case hardness – factoring is easy 100003*2=200006

11 Provable security based on average-case hardness
The cryptographic function is hard provided almost all N are hard to factor N fN Explain the importance of average case hardness – factoring is easy 100003*2=200006

12 Provable security based on worst-case hardness
The cryptographic function is hard provided the lattice problem is hard in the worst-case This is a much stronger security guarantee It assures us that our distribution is correct L fL Explain the importance of average case hardness – factoring is easy 100003*2=200006

13 Collision-Resistant Hash Functions
A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) First lattice-based CRHF given in [Ajtai96] Based on the worst-case hardness of n8-approximate SVP Security improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04] Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04] Explain the importance of average case hardness – factoring is easy 100003*2=200006

14 The Modular Subset-Sum Function
Let N be a big integer, and m=2log2N Choose a1,…,am uniformly in {0,…,N-1}. Then define fa1,…,am:{0,1}m{0,…,N-1} by fa1,…,am(b1,…,bm) = Σbiai mod N Since m>log2N, (many) collisions exist We will later see a proof of security: Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP Simply subset sum, no wavy distribution Family of functions

15 Recent Work: More Efficient CRHFs
In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06] Essentially the same subset-sum function except over a different ring Only O(n) bits needed to specify a hash function Based on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices) Explain the importance of average case hardness – factoring is easy 100003*2=200006

16 Public-key Cryptosystem
A PKC allows parties to communicate securely without having to agree on a secret key beforehand First lattice-based PKC presented in [AjtaiDwork97] Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08] Advantages: Worst-case hardness Based on lattice problems (GapSVP) Main disadvantage: impractical! (think of n as 100): Public key size O(n4) Encryption expands by O(n2) Explain the importance of average case hardness – factoring is easy 100003*2=200006

17 A Recent Public-key Cryptosystem [R05]
Advantages: Worst-case hardness Based on the main lattice problems (SVP, SIVP) Main advantage: practical! (think of n as 100): Public key size O(n) Encryption expands by O(n) One (minor?) disadvantage: Breaking the cryptosystem implies an efficient quantum algorithm for lattices Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...]) Approximation factors are quite good too

18 Example of a lattice-based PKC [R05]
Everything modulo 4 Private key: 4 random numbers Public key: a 6x4 matrix and approximate inner product Encrypt the bit 0: Encrypt the bit 1: 2·1 + 0·2 + 1·0 + 2·3 = 0 1·1 + 2·2 + 2·0 + 3·3 = 2 0·1 + 2·2 + 0·0 + 3·3 = 1 1·1 + 2·2 + 0·0 + 2·3 = 3 0·1 + 3·2 + 1·0 + 3·3 = 3 3·1 + 3·2 + 0·0 + 2·3 = 3 2·? + 0·? + 1·? + 2·? ≈ 1 1·? + 2·? + 2·? + 3·? ≈ 2 0·? + 2·? + 0·? + 3·? ≈ 1 1·? + 2·? + 0·? + 2·? ≈ 0 0·? + 3·? + 1·? + 3·? ≈ 3 3·? + 3·? + 0·? + 2·? ≈ 2 2·1 + 0·2 + 1·0 + 2·3 ≈ 1 1·1 + 2·2 + 2·0 + 3·3 ≈ 2 0·1 + 2·2 + 0·0 + 3·3 ≈ 1 1·1 + 2·2 + 0·0 + 2·3 ≈ 0 0·1 + 3·2 + 1·0 + 3·3 ≈ 3 3·1 + 3·2 + 0·0 + 2·3 ≈ 2 3·? + 2·? + 1·? + 0·? ≈ 1 This gives n^2 but n can be achieved 3·? + 2·? + 1·? + 0·? ≈ 3

19 Construction of a Lattice-based Collision Resistant Hash Function

20 Blurring a Picture

21 Blurring a Lattice

22 Blurring a Lattice

23 Blurring a Lattice

24 Blurring a Lattice

25 Blurring a Lattice

26 The Smoothing Radius Define the smoothing radius =(L)>0 as the smallest real such that adding Gaussian blur of radius  to L yields an essentially uniform distribution The radius  was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93] It was shown that  is ‘small’ in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

27 An Alternative Definition
Define h:Rn![0,1)n that maps any x=Σivi to h(x)=(1,…,n) mod 1. E.g., any xL has h(x)=(0,…,0) Then an alternative way to define  is as: The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is ‘essentially’ uniform on [0,1)n Simply subset sum, no wavy distribution Family of functions

28 Rn [0,1)n (0,1) (1,1) h(x2) h(x3) h(x1) h(x4) (0,0) (1,0) x2 x1 x4 x3
h(x1) Simply subset sum, no wavy distribution Family of functions h(x4) (0,0) (1,0)

29 fa1,…,am(b1,…,bm) = Σbiai (mod q)
Our CRHF Fix the dimension n, let q=22n, and m=4n2 Choose a1,…,am uniformly in Zqn. Then define fa1,…,am:{0,1}m{0,1}nlog2q by fa1,…,am(b1,…,bm) = Σbiai (mod q) Since m>nlog2q, (many) collisions exist We now prove security by showing that: Being able to find a collision in a randomly chosen fa1,…,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP Simply subset sum, no wavy distribution Family of functions

30 Security Proof Σbiai = 0 (mod q). Σbiai  (0,…,0) (mod 1)
Assume there exists an algorithm CollisionFind that given a1,…,am chosen uniformly in Zqn, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai = 0 (mod q). This implies an algorithm CollisionFind’ that given a1,…,am chosen uniformly from [0,1)n, finds with some non-negligible probability b1,…,bm{-1,0,1} (not all zero) such that Σbiai  (0,…,0) (mod 1) (up to m/q in each coordinate) Simply subset sum, no wavy distribution Family of functions

31 CollisionFind’ a2 a3 a4 a1 a5 a6 Output: “a1+a2-a4+a5(0,…,0) (mod 1)”
(0,1) (1,1) a2 a3 a4 a1 a5 a6 Simply subset sum, no wavy distribution Family of functions (0,0) (1,0) Output: “a1+a2-a4+a5(0,…,0) (mod 1)”

32 Security Proof Our goal is to show that using CollisionFind’ we can find a nonzero vector of length at most poly(n)(L) in any given lattice L So let L be a given lattice with basis v1,…,vn By using the LLL algorithm, we can assume that v1,…,vn are not ‘unreasonably’ long: say, of length at most 2n(L) Simply subset sum, no wavy distribution Family of functions

33 Security Proof – Main Procedure
Sample m vectors x1,…,xm from the Gaussian distribution around 0 of radius  Compute a1:=h(x1),…,am:=h(xm) Each ai is uniformly distributed in [0,1)n Apply CollisionFind’ to obtain b1,…,bm  {-1,0,1} such that Σbih(xi)  (m/q,…,m/q) (mod 1) Define y=Σbixi. Then, y is short (of length m) y is extremely close to a lattice point since h(y)=Σbih(xi)(m/q,…,m/q) (mod 1) Simply subset sum, no wavy distribution Family of functions

34 Security Proof – Main Procedure
Write y=Σivi for some reals 1,…,n So each i is within m/q of an integer Define the lattice vector y’=Σivi The distance So y’ is a lattice vector of length at most (m+1) Simply subset sum, no wavy distribution Family of functions

35 CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”
x1 x2 x3 x4 y’ y Simply subset sum, no wavy distribution Family of functions CollisionFind’(a1,a2,a3,a4)“-a2-a3+a40 (mod 1)”

36 Security Proof – One Last Issue
How to guarantee that y’ is nonzero? Maybe CollisionFind’ acts in some ‘malicious’ way, trying to make y’ zero It can be shown that ai does not contain enough information about xi In other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y’ is nonzero with very high probability Simply subset sum, no wavy distribution Family of functions

37 Security Proof – Conclusion
By a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probability By repeating this procedure we can obtain such a vector with very high probability The essential idea: Simply subset sum, no wavy distribution Family of functions All lattices look the same after adding some small amount of blur

38 Open Problems Establish recommended parameters Cryptanalysis
Known attacks limited to low dimension [NguyenStern98] New systems [Ajtai05,R05] are efficient and can be used with high dimensions Improved cryptosystems Use special classes of lattices

Download ppt "Lattice-based Cryptography"

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Quantum Cryptography ( EECS 598 Presentation) by Amit Marathe.

Quantum Cryptography ( EECS 598 Presentation) by Amit Marathe.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Similar presentations

Ads by Google