Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Lattice Based Cryptographic Constructions

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "New Lattice Based Cryptographic Constructions"— Presentation transcript:

1 New Lattice Based Cryptographic Constructions
Oded Regev

2 Lattices Basis: v1,…,vn vectors in Rn
The lattice is a1v1+…+anvn for all integer a1,…,an. What is the shortest vector u ? v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1

3 Lattices – not so easy 3v1-4v2 v1 v2

4 f(n)-unique-SVP (shortest vector problem)
Promise: the shortest vector u is shorter by a factor of f(n) Algorithm for 2n-unique SVP [LLL82,Schnorr87] Believed to be hard for any nc 1 f(n) 1 nc 2n believed hard easy

5 History Geometric objects with rich structure
Early work by Gauss 1801, Hermite 1850, Minkowski 1896 More recent developments: LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82] Factoring rational polynomials Solving integer programs in a fixed dimension Breaking knapsack cryptosystems Ajtai’s average case connection [Ajtai96] Lattice based cryptosystems

6 Question From which distribution is the following sequence taken?
478, 21, 431, 897, 150, 701, 929, 232 Uniform? Prob 1 1000 Prob Or wavy? 1 1000

7 The d,γ-wavy Distribution
Periodization of the normal distribution R=2^(2n2) Number of periods is d (usually integer) Ratio of period to standard dev. is γ distd : {0,…,R-1}  [0,½] is the normalized distance from the nearest peak d=7 Prob R-1

8 Main Theorem For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

9 Average-case Theorem For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions for a non-negligible fraction of values d in [2^(n2),2•2^(n^2)]

10 Applications of Main Theorem
Public key encryption scheme Collision resistant hash function A problem in quantum computation

11 Cryptography ‘Standard’ cryptography:
Usually based on factoring, discrete log, principal ideal problem Average case assumption Mostly broken by quantum computers Lattice based cryptography [Ajtai96,…]: Based on lattice problems Worst case assumption Still not broken by quantum computers

12 Application 1 Public Key Encryption (PKE)
Consists of private key, public key, encryption and decryption The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97] Previously, the only lattice based PKE with worst case assumption Based on n7-unique Shortest Vector Problem

13 Application 1 Public Key Encryption (PKE)
We construct a new lattice based PKE from the average-case theorem: Very simple description Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem Uses integer numbers, very efficient

14 Application 2 Collision Resistant Hash Function
A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e., xy s.t. f(x)=f(y) Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02] Our construction is The first which is not based on Ajtai’s iterative step Somewhat stronger (based on n1.5-uSVP)

15 Application 3 Quantum Computation
Quantum computers can break cryptography based on factoring [Shor96] Based on the HSP on Abelian groups What about lattice based cryptography?

16 Application 3 Quantum Computation
Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02] Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]

17 Main Theorem For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem to distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

18 Proof of the Main Theorem

19 Proof Outline n1.5-Unique-SVP decision problem promise problem
n-dim distributions Main theorem

20 Reduction to: Decision Problem
Given a n1.5-unique lattice, and a prime p>n1.5 Assume the shortest vector is: u = a1v1+a2v2+…+anvn Decide whether a1 is divisible by p

21 The Reduction Idea: decrease the coefficients of the shortest vector
If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn . u is still in the new lattice: u = (a1/p)•pv1 + a2v2 + … + anvn The same can be done whenever p|ai for some i

22 The Reduction But what if p ai for all i ? |
Consider the basis v1,v2-v1,v3,…,vn The shortest vector is u = (a1+a2)v1 + a2(v2-v1) + a3v3 + … + anvn The first coefficient is a1+a2 Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2 One of them is divisible by p, so we choose it and continue |

23 Proof Outline n1.5-Unique-SVP  decision problem promise problem
n-dim distributions Main theorem

24 Reduction from: Decision Problem
Given a n1.5-unique lattice, and a prime p>n1.5 Assume the shortest vector is: u = a1v1+a2v2+…+anvn Decide whether a1 is divisible by p

25 Reduction to: Promise Problem
Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n

26 The reduction Input: a basis (v1,…,vn) of a n1.5 unique lattice
Scale the lattice so that the shortest vector is of length 1/n Replace v1 by pv1. Let M be the resulting lattice If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n If p a1 then M has shortest vector more than n |

27 The input lattice L L 1/n n -u u 2u

28 The lattice M M The lattice M is spanned by pv1,v2,…,vn:
If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn 2M : M n 1/n u

29 The lattice M M The lattice M is spanned by pv1,v2,…,vn:
If p a1, then u M: | 2 M n -pu pu

30 Proof Outline n1.5-Unique-SVP  decision problem  promise problem
n-dim distributions Main theorem

31 Reduction from: Promise Problem
Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n Case 2. Shortest vector is of length more than n

32 n-dimensional distributions
Distinguish between the distributions: ? Wavy Uniform

33 Dual Lattice L L* Given a lattice L, the dual lattice is
L* = { x | 8y2L, <x,y>2Z } 1/5 L L* 5

34 L* - the dual of L L* n L n Case 1 1/n n Case 2

35 Reduction Choose a point randomly from L*
Perturb it by a Gaussian of radius n

36 Creating the Distribution
L* L*+ perturb Case 1 n Case 2

37 Analyzing the Distribution
Theorem: (using [Banaszczyk’93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) Therefore, Case 1: Determined by multiples of u  wavy on hyperplanes orthogonal to u Case 2: Determined by the origin  uniform

38 Proof of Theorem For a set A in Rn, define:
Poisson Summation Formula implies: Banaszczyk’s theorem: For any lattice L,

39 Proof of Theorem (cont.)
In Case 2, the distribution obtained is very close to uniform: Because:

40 Proof Outline n1.5-Unique-SVP  decision problem  promise problem 
n-dim distributions Main theorem

41 n-dimensional distributions
Distinguish between the distributions Given by an oracle that returns points inside a cube of side length 2n ? Wavy Uniform

42 Main Theorem Distinguish between the distributions: Uniform: Wavy: R-1
R-1 Wavy: R-1

43 Reducing to 1-dimension
First attempt: sample and project to a line

44 Reducing to 1-dimension
But then we lose the wavy structure! We should project only from points very close to the line

45 The solution Use the periodicity of the distribution
Project on a ‘dense line’ :

46 The solution

47 The solution We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1en where K is large enough The distance between hyperplanes is n The sides are of length 2n Therefore, we choose K=2O(n) Hence, d<O(Kn)=2^(O(n2))

48 Done n1.5-Unique-SVP  decision problem  promise problem 
n-dim distributions Main theorem

49 From Worst-Case to Average-Case

50 Worst-case vs. Average-case
Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2) For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]

51 Compressing The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d: Sample a from the distribution Return either a/2 or (a+R)/2 with probability ½ In general, for any real a1, we can compress d,γ-wavy into ad,γ-wavy Notice that compressing preserves the uniform distribution We show a reduction from worst-case to average-case

52 Reduction Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)] Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following: Choose a in {1,…,2¢2^(n2)} according to a certain distribution Compress the distribution by a Check the distinguisher’s acceptance probability If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’

53 Reduction Distribution is uniform: Distribution is d,γ-wavy: 1 2^(n2)
After compression it is still uniform Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a Distribution is d,γ-wavy: After compression it is in the good range with some probability Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences 1 2^(n2) 2¢2^(n2) d

54 Application 1 Public Key Encryption Scheme

55 PKE – Description Let m=2log2R=4n2 Private key: Public key:
A real number y chosen uniformly in [2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m) Public key: Choose integers A={a1,…,am} from the y,γ-wavy distribution with γ=n1+ε Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)

56 PKE – Description (cont.)
Private key: y Public key: A={a1,…,am} Encryption: Bit 0: a number chosen uniformly in {0,…,R-1} Bit 1: the sum of a random subset of A mod R Decryption of w: If disty(w)<1/50 then 1 otherwise 0

57 PKE – Correctness Encryption of the bit 0: Encryption of the bit 1:
With probability 96%, disty(Sai)>1/50 These errors can be avoided Encryption of the bit 1: For a subset S, with high probability, disty(Sai)<1/100 Using Sai < m¢R, disty(Sai mod R)<1/50

58 PKE - Security Enc(0) ? Enc(1) public key {a1,…,am} Enc(0)~
Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences! Enc(0) ? Enc(1) public key {a1,…,am} uniform {a1,…,am} Enc(0)~ Enc(1)

59 PKE – Security Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP) Proof: Follows from the average-case theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])

60 Application 2 Collision Resistant Hash Function

61 Collision Resistant Hash Function
Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then: b1,…,bm{0,1}, f(b1,…,bm)=Σbiai mod R We will see a simpler proof based on n2.5+ε-uSVP

62 Collision Resistant Hash Function
Assume there exists a collision finding algorithm C I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that Σaici = 0 (mod R)

63 Collision Resistant Hash Function
We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C Choose z uniformly from {0,…,R-1} With probability 0.9, distd(z) > 1/20 Repeat the following enough times: Choose a1,…,am from the unknown distribution Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m} If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’

64 Correctness Distribution is uniform:
a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m Distribution is d,γ-wavy: W.h.p., i{1,…,m}, distd(ai) < 1/(100n2) For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2) Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0

65 Application 3 Quantum Computation – The Dihedral HSP

66 Hidden Subgroup Problem
Given a function that is constant and distinct on cosets of HG, find H Solved for Abelian groups Also for certain non-Abelian groups [RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…] Still open for many groups. In particular: Symmetric group Dihedral group (ZNZ2)

67 Solving Dihedral HSP Two approaches: Ettinger and Høyer ’00
Reduction to “Period finding from samples” R ’02, Kuperberg ‘03 Reduction to average case subset sum

68 Solving Dihedral HSP Idea of Ettinger and Høyer:
Reduce to “Hidden Translation on ZN”: Given an oracle that outputs states of the form |xi+|x+di where x is arbitrary and d is fixed, find d Take the Fourier transform Measure

69 Period Finding from Samples
Find the period of the following (cos2) distribution by sampling: [EH] showed that there is enough information in a polynomial number of samples Open question in [EH]: is there an efficient solution to this problem? R-1

70 Reduction Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution

71 Guess the period and add noise

72 Reduction Corollary: finding the period of the cos2 distribution is hard Proof: Since all cos2 distributions look like uniform, they all look the same

73 Conclusion Main theorem Average case form Applications
Strong public key encryption scheme Collision resistant hash function Solution to an open question in quantum computation Other applications?

Download ppt "New Lattice Based Cryptographic Constructions"

Similar presentations

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/0111102 I was born at the Big Bang. Cool! We have the same birthday.

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Umesh V. Vazirani U. C. Berkeley Quantum Algorithms: a survey.

Umesh V. Vazirani U. C. Berkeley Quantum Algorithms: a survey.
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

Similar presentations

Ads by Google