Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

Published bySharon Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)"— Presentation transcript:

1 Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

2 La Cryptographie Reposant sur les Réseaux: de la Pratique à la Théorie à la Pratique Vadim Lyubashevsky INRIA / CNRS / ENS Paris (Septembre 12, 2011)

3 Lattice-Based Encryption Schemes 1.NTRU [Hoffstein, Pipher, Silverman ‘98] 2.LWE-Based [Regev ‘05] 3.Ring-LWE Based [L, Peikert, Regev ’10] 4.“NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]

4 Cryptosystèmes Reposant sur les Réseaux 1.NTRU [Hoffstein, Pipher, Silverman ‘98] 2.Reposant sur LWE [Regev ‘05] 3.Reposant sur Anneau-LWE [L, Peikert, Regev ’10] 4.“NTRU” avec une preuve de la sécurité [Stehle, Steinfeld ‘11]

5 Subset Sum Problem Subset-Sum Based [L, Palacio, Segev ‘10] LWE-Based [Regev ‘05] Ring-LWE Based [L, Peikert, Regev ’10] “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11] NTRU [Hoffstein, Pipher, Silverman ‘98]

6 Part 0. The Subset Sum Problem

7 a i, T in Z M a i are chosen randomly T is a sum of a random subset of the a i a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Subset Sum Problem

8 a i, T in Z 49 a i are chosen randomly T is a sum of a random subset of the a i 15 31 24 3 14 11 15 + 31 + 14 = 11 (mod 49) Subset Sum Problem

9 How Hard is Subset Sum? a i, T in Z M a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Hardness Depends on: Size of n and M Relationship between n and M

10 Complexity of Solving Subset Sum M run-time 2 log²(n) 2n2n 2 n log(n) 2 n² poly(n)2 Ω(n) poly(n) “generalized birthday attacks” [FlaPrz05,Lyu06,Sha08] “lattice reduction attacks” [LagOdl85,Fri86]

11 Subset Sum Crypto Why?  Simple operations  Exponential hardness  Seems very different from number theoretic assumptions  Seems to resist quantum attacks

12 Subset Sum is “Pseudorandom” [Impagliazzo-Naor 1989]: For random a 1,...,a n in Z M and random x 1,...,x n in {0,1} distinguishing the distribution (a 1,...,a n, a 1 x 1 +...+a n x n mod M) from the uniform distribution U(Z M n+1 ) is as hard as finding x 1,...,x n

13 Part 1. Cryptosystem Based on Subset Sum [L, Palacio, Segev 2010]

14 Public Key Encryption Allows for secure communication between parties who have previously never met

15 Public Key Encryption public key: p secret key: s Encrypt, Decrypt Decrypt(s,Encrypt(p,M))=M c=Encrypt(p,M) M=Decrypt(s,c)

16 Public Key Encryption c=Encrypt(p,M) What does “secure” mean? Intuitive answer: The adversary should not be able to read the message.

17 Public Key Encryption c=Encrypt(p,M), c=Encrypt(p,M) What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. But what about other information about the message? E.g. If adversary can figure out that the same message was sent twice, is the scheme “secure”?

18 Public Key Encryption What does “secure” mean? Semantic Security: For every 2 messages M, M', it's impossible to distinguish Encrypt(p,M) from Encrypt(p,M') in polynomial time The Encrypt algorithm must be randomized!

19 Subset Sum Cryptosystem Semantically secure based on Subset Sum for M ≈ n n Main tools Subset sum is pseudo-random Addition in (Z q ) n is “kind of like” addition in Z M where M=q n The proof is very simple

20 Facts About Addition Want to add 4679+3907+8465+1343 mod 10 4 4 6 7 9 3 9 0 7 8 4 6 5 1 3 4 3 4 2 9 1 3 2 8 Adding n numbers (written in base q) modulo q m → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i.e. in Z M ) (i.e. in (Z q ) n ) 4 6 7 9 3 9 0 7 8 4 6 5 1 3 4 3 4726

21 So... 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 8 1 1 9 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 + 2 1 1 0 0 2 2 9 = = NOT Pseudorandom! Pseudorandom based on Subset Sum!

22 Column Subset Sum Addition Is Also Pseudorandom 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 11011101 11101110 09800980 + =

23 “Hybrid” Subset Sum Addition Is Also Pseudorandom 4 6 7 9 0 3 9 0 7 9 8 4 6 5 8 1 6 4 3 0 1 0 0 1 + 1 1 1 0 0 6 3 2 2 0 = pseudorandom

24 Encryption Scheme (for 1 bit) A st =+ A t r + uv = Public Key {0,1} n Z q n x n

25 Encryption Scheme A st =+ A t r + uv = Is pseudo-random based on the hardness of the subset sum problem

26 Encryption Scheme A st =+ A t r + uv = v As + r + As r As r + As = =

27 A st =+ A t r + uv = u s A r s = + A r s + = ≈ v

28 u s v - = A st =+ A t r + uv = Encryption of 0

29 u s - = Encryption Scheme A st =+ A t r + uv = Encryption of 1 + 0 u = + q/2 v’

30 Part 2. Cryptosystem Based on Learning With Errors and Worst-Case Lattice Problems [Regev 2005]

31 Encryption Scheme (what we needed) A st =+ A t r + uv = Pseudorandom “small”

32 Picking the “Carries” In Subset Sum: carries were deterministic What if … we pick the “carries” at random from some distribution?

33 So... 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 1 1 0 1 + 2 1 1 0 0 2 2 9 = Pseudorandom based on Subset Sum! 4 6 7 9 3 9 0 7 8 4 6 5 1 6 4 3 2 3 0 1 + 1 3 2 1 7 2 0 3 = Pseudorandom based on LWE and worst-case lattice problems [Reg ‘05] (with a lemma from [ACPS ‘09])

34 Given a i and + e i find s. (e i and s are “small”) (Once there are enough a i, the s is uniquely determined) Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE. Learning With Errors (LWE) Problem... a1a1 a2a2 amam s + e = b

35 Decision LWE Problem... a1a1 a2a2 s + e = b World 1... a2a2 a1a1 amam b uniformly random in Z p m World 2 Lemma[Reg ’05]: Search-LWE < Decision-LWE amam

36 LWE vs. Subset Sum The Subset Sum assumption has deterministic “noise” The LWE assumption is more “versatile”... a1a1 a2a2 amam s + e = b LWE Problem n2n2 n s += b Subset Sum Problem n2n2 n a2a2 a1a1 anan …

37 LWE / Subset Sum Encryption A st =+ A t r + uv = n-bit EncryptionHaveWant Public Key SizeÕ(n) / Õ(n 2 )O(n) Secret Key SizeÕ(n) / Õ (n 2 )O(n) Ciphertext ExpansionÕ(n) / Õ (1)O(1) Encryption TimeÕ(n 3 ) / Õ (n 2 )O(n) Decryption TimeÕ(n 2 )O(n)

38 Part 3. Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [L, Peikert, Regev 2010]

39 Source of Inefficiency of LWE 1 0 2 1 37822 * += 1 Getting just one extra random-looking number requires n random numbers and a small error element. Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 8 7 3 * += 1 0 2 1

40 Use Polynomials f(x) is a polynomial x n + a n-1 x n-1 + … + a 1 x + a 0 R = Z p [x]/(f(x)) is a polynomial ring with Addition mod p Polynomial multiplication mod p and f(x) Each element of R consists of n elements in Z p In R: small+small = small small*small = small (depending on f(x) )

41 Polynomial Interpretation of the LWE-based cryptosystem astrau rtv vus ++ + == = - rt + ra + s ras + + ra + s r + s =- - -= Public Key

42 Security astrau rtv ++ + == = Pseudorandom??

43 Learning With Errors over Rings a1a1 a2a2 a3a3 … amam s b1b1 b2b2 b3b3 … bmbm + = e1e1 e2e2 e3e3 … emem Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x))

44 Decision Learning With Errors over Rings a1a1 a2a2 a3a3 … amam s b1b1 b2b2 b3b3 … bmbm + = a1a1 a2a2 a3a3 … amam b1b1 b2b2 b3b3 … bmbm Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE World 1World 2

45 Use Polynomials in Z p [x]/(f(x)) astrau rtv ++ + == = n-bit EncryptionFrom LWE / SSFrom Ring-LWE Public Key SizeÕ(n) / Õ(n 2 )Õ(n) Secret Key SizeÕ(n) / Õ (n 2 )Õ(n) Ciphertext ExpansionÕ(n) / Õ (1)Õ(1) Encryption TimeÕ(n 3 ) / Õ (n 2 )Õ(n) Decryption TimeÕ(n 2 )Õ(n)

46 Part 4. 1-Element Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [Stehle, Steinfeld 2011]

47 Number of Ring Elements astrau rtv ++ + == = uv + m p 2, Can you have a ciphertext with just 1 ring element? Encryption of m:

48 Stehle, Steinfeld Cryptosystem f g aar ++ mu 2= ugr ++ m 2 fgg = ug mod 2= mg ug = g m = Uniformly random Pseudorandom based on Ring-LWE mod p “small” coefficients

49 Part 5. NTRU Cryptosystem [Hoffstein, Pipher, Silverman 1998]

50 NTRU Cryptosystem f g aar ++ mu 2== “looks” random If a is random, then pseudorandom based on Ring-LWE fg - Very small ugr ++ m 2 fgg = mod p Since f, g are smaller, p can be smaller as well

51 (Textbook) NTRU Cryptosystem / Trap-Door Function f g a = fg - Very small ugr + m 2 fg = mod p ar + mu 2 = ug mod 2= mg ug = g m

52 Thanks, eh!

Download ppt "Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)"

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Lattice-Based Cryptography

Lattice-Based Cryptography
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google