Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.

Published byTamsin Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattice-based cryptography and quantum Oded Regev Tel-Aviv University."— Presentation transcript:

1 Lattice-based cryptography and quantum Oded Regev Tel-Aviv University

2 Outline Introduction to lattices Main result: a stronger and more efficient public key encryption scheme Main theorem: a hard learning problem Proof of main theorem Overview Part I: Quantum Part II: Classical

3 A lattice is a set of points in n dimensional space A lattice is a set of points in n dimensional space For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is L={a 1 v 1 + … +a n v n | a i integers} L={a 1 v 1 + … +a n v n | a i integers} These vectors form a basis of L These vectors form a basis of L Lattice v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1

4 SVP: Given a lattice, find a short vector SVP: Given a lattice, find a short vector Like most other lattice problems it is believed to be extremely hard classically. Perhaps also quantumly. Like most other lattice problems it is believed to be extremely hard classically. Perhaps also quantumly. Shortest Vector Problem (SVP) 0 v2v2 v1v1

5 CVP: Given a lattice and a target vector, find the closest lattice point CVP: Given a lattice and a target vector, find the closest lattice point CVP d : Given a lattice and a target vector within distance d, find the closest lattice point CVP d : Given a lattice and a target vector within distance d, find the closest lattice point Closest Vector Problem (CVP) 0 v2v2 v1v1v

6 Every lattice has a dual lattice (also known as the reciprocal) Every lattice has a dual lattice (also known as the reciprocal) The dual lattice of L is The dual lattice of L is L * = {x | 8 y 2 L, h x,y i 2 Z} L * = {x | 8 y 2 L, h x,y i 2 Z} (L * ) * =L (L * ) * =L In fact, the dual lattice is the Fourier transform of the lattice In fact, the dual lattice is the Fourier transform of the lattice Dual Lattice

7 Main Result New Public Key Encryption Scheme

8 Public Key Encryption Scheme (PKES) Allows parties to communicate securely without having to agree on a secret key beforehand Used extensively on the Internet (RSA, PGP…) However, most PKES are based on the hardness of factoring No longer secure in a world with quantum computers !! Main alternative: lattice-based PKES

9 Previous lattice-based PKES Previous lattice-based PKES [AjtaiDwork96,GoldreichGoldwasserHalevi97,R’03] Main advantages: Based on a lattice problem Worst-case hardness Main disadvantages: Based only on unique-SVP Impractical (think of n as  1000): Public key size O(n 4 ) Encryption expands by O(n 2 )

10 New lattice-based PKES [This work] Main advantages: Worst-case hardness Based on the main lattice problems (SVP, SIVP). (More) practical (think of n as  1000): Public key size O(n 2 ) Encryption expands by O(n) However, breaking the cryptosystem implies an efficient quantum algorithm for lattices quantum

11 Why Quantum? As part of the proof, we need to perform a certain algorithmic task on lattices We do not know how to do it classically, only quantumly!

12 Does it really matter? Assume quantum computers can be built (as we all believe) Two cases: 1. Efficient quantum algorithm for lattices exists: Then both previous and new lattice-based PKES are weak 2. No efficient quantum algorithm for lattices: Then both previous and new lattices-based PKES are secure

13 Main Theorem A Hard Learning Problem

14 Learning from parity with error Let s2Z 2 n be a secret We have independent random equations modulo 2 with error: Without error, it’s easy! s 2 +s 3 +s 4 + s 6 +…+s n  0 s 1 +s 2 + s 4 + s 6 +…+s n  1 s 1 + s 3 +s 4 +s 5 + …+s n  1 s 2 +s 3 +s 4 + s 6 +…+s n  0.

15 More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Z 2 n and e is a bit that is 1 with probability 10%. Trivial algorithm needs 2 O(n) equations/time Best known algorithm needs 2 O(n/logn) equations/time [ BlumKalaiWasserman’00 ] Open question: why is this problem so hard? Learning from parity with error

16 Learning modulo p Fix some p<poly(n) Let s2Z p n be a secret We have random equations modulo p with error: 2s 1 +0s 2 +2s 3 +1s 4 +2s 5 +4s 6 +…+4s n  2 0s 1 +1s 2 +5s 3 +0s 4 +6s 5 +6s 6 +…+2s n  4 6s 1 +5s 2 +2s 3 +0s 4 +5s 5 +2s 6 +…+0s n  2 6s 1 +4s 2 +4s 3 +4s 4 +3s 5 +3s 6 +…+1s n  5.

17 Learning modulo p More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Z p n and e is chosen from Z p Best known algorithm needs 2 O(n) equations/time [ BlumKalaiWasserman’00 ]

18 Main Theorem Learning modulo p is as hard as worst-case lattice problems using a quantum reduction In other words: solving the problem implies an efficient quantum algorithm for lattices This theorem implies our new PKES

19 Proof of the Main Theorem Overview

20 Gaussian Distribution Define a Gaussian distribution on a lattice (normalization omitted) We can efficiently sample from D r for large r=2 n

21 The Reduction √n Assume the existence of an algorithm for the modulo p learning problem for p=2√n Our lattice algorithm: r=2 n Take poly(n) samples from D r Repeat: Given poly(n) samples from D r, compute poly(n) samples from D r/2 Set r←r/2 When r is small, output a short vector

22 DrDr

23 D r/2

24 Obtaining D r/2 from D r √n Let p=2√n Given poly(n) samples from D r, we show how to solve CVP p/r in L * Classical Uses learning oracle mod p Given a solution to CVP p/r in L *, we show how to obtain samples from D √n r/p = D r/2 Quantum Based on the quantum Fourier transform

25 Samples from D r in L Solution to CVP p/r in L * Samples from D r/2 in L Solution to CVP 2p/r in L * Samples from D r/4 in L Solution to CVP 4p/r in L * Classical, uses learning oracle Quantum

26 Fourier Transform Primal world (L)Dual world (L * )

27 Fourier Transform The Fourier transform of D r is given by Its value is 1 for x in L *, e -1 at points of distance 1/r from L *, ¼ 0 at points far away from L *.

28 Proof of the Main Theorem Part I: Obtaining D r/2 from CVP p/r

29 From CVP p/r to D r/2 Assume we can solve CVP p/r ; we’ll show how to obtain samples from D r/2 Idea: Create the quantum state by adding a Gaussian to each lattice point and uncomputing the lattice point by using the CVP algorithm Then compute the (quantum) Fourier Transform

30 From CVP to D r/2 More precisely, create the state And the state Tensor them together and add first to second Uncompute first register by solving CVP p/r

31 From CVP to D r/2 Compute the quantum Fourier transform of It is exactly D r/2 !! Measure and obtain a sample from D r/2 By repeating this quantum process, we can obtain poly(n) samples

32 Proof of the Main Theorem Part II: Solving CVP p/r given samples from D r

33 It ’ s enough to approximate f p/r Lemma: being able to approximate f p/r implies a solution to CVP p/r Proof Idea – walk uphill: f p/r (x)>¼ for points x of distance < p/r Keep making small modifications to x as long as f p/r (x) increases Stop when f p/r (x)=1 (then we are on a lattice point)

34 What ’ s ahead in this part For warm-up, we show how to approximate f 1/r given samples from D r No need for learning This is main idea in [AharonovR’04] Then we show how to approximate f 2/r given samples from D r and an oracle for the learning problem Approximating f p/r is similar

35 Warm-up: approximating f 1/r Let’s write f 1/r in its Fourier representation: Using samples from D r, we can compute a good approximation to f 1/r (this is the main idea in [AharonovR’04])

36

37 Fourier Transform Consider the Fourier representation again: For x 2 L *, h w,x i is integer for all w in L and therefore we get f 1/r (x)=1 For x that is close to L *, h w,x i is distributed around an integer. Its standard deviation can be (say) 1.

38 Approximating f 2/r Consider the distribution D r /2 given by: Sample a vector w from D r Output w/2 We obtain 2 n translates of the distribution D r/2 For t 2 Z 2 n, denote the translate t by D t r/2

39 DrDr

40

41

42 We can equivalently think of our samples as taken from the following distribution: Choose t 2 Z 2 n uniformly at random Output a sample from D t r/2 Consider the Fourier transform of D t r/2 Approximating f 2/r

43

44

45 The functions f t 2/r look almost like f 2/r Only difference is that some Gaussians have their sign flipped Approximating f t 2/r is enough: we can easily take the absolute value and obtain f 2/r For this, we need to obtain several samples from D t r/2 The problem is that each sample is from D t r/2 for different t ! Approximating f 2/r

46 The sign of each Gaussian is ±1 depending on h s,t i mod 2 where s is the coeff vector of its center The distribution of 2 h x,w i i mod 2 for a point x close to L * is centred around h s,t i i mod 2 Hence, we obtained equations modulo 2 with error: h s,t 1 i¼d 2 h x,w 1 ic mod 2 h s,t 2 i¼d 2 h x,w 2 ic mod 2 h s,t 3 i¼d 2 h x,w 3 ic mod 2. Approximating f 2/r

47 Using the learning algorithm, we solve these equations and obtain s Knowing s, we can cancel the sign Averaging over enough samples gives us an approximation to f 2/r Approximating f 2/r

48 Open questions Dequantize the reduction: What can one do classically with a solution to CVP d ? Extend to learning from parity (i.e., p=2) or even some constant p Is there something inherently different about the case of constant p? Any other applications for this ‘new quantum algorithm’?

Download ppt "Lattice-based cryptography and quantum Oded Regev Tel-Aviv University."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.

Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Quantum One-Way Communication is Exponentially Stronger than Classical Communication TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Quantum One-Way Communication is Exponentially Stronger than Classical Communication TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
An Efficient Membership-Query Algorithm for Learning DNF with Respect to the Uniform Distribution Jeffrey C. Jackson Presented By: Eitan Yaakobi Tamar.

An Efficient Membership-Query Algorithm for Learning DNF with Respect to the Uniform Distribution Jeffrey C. Jackson Presented By: Eitan Yaakobi Tamar.
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.

The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

Similar presentations

Ads by Google