an introduction to lattice-based cryptographydanadach/cryptography_20/...an introduction to...
TRANSCRIPT
An Introduction to Lattice-Based Cryptography
Dana Dachman-SoledUniversity of [email protected]
Traditional Crypto Assumptions
β’ Factoring: Given ππ = ππππ, find ππ, ππβ RSA Given ππ = ππππ, ππ, π₯π₯ππ ππππππ ππ, find π₯π₯.
β’ Discrete Log: Given πππ₯π₯ ππππππ ππ, find π₯π₯.β Diffie-Hellman Assumptions (πππ₯π₯ ,πππ¦π¦ ,πππ₯π₯π¦π¦),
(πππ₯π₯ ,πππ¦π¦ ,πππ§π§)
Are They Secure?β’ Algorithmic Advances:
β Factoring: Best algorithm time 2 οΏ½ππ(ππ13) to factor ππ-bit number.
β Discrete log: Best algorithm 2 οΏ½ππ(ππ13) for groups ππππβ , where ππ is ππ
bits.β’ [Adrian et al. 2015] With preprocessing could possibly be feasible for
nation-states and ππ = 1024.β’ Quasipolynomial time algorithms for small characteristic fields. Not
known to apply in practice.
β’ Quantum Computers:β Shorβs algorithm solves both factoring and discrete log in
quantum polynomial time ( οΏ½ππ(ππ2)).
Are They Secure?βFor those partners and vendors that have not yet made the transition to Suite B algorithms (ECC), we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy. ββNSA Statement, August 2015
Post-Quantum Approach
β’ New set of assumptions based on finding short vectors in lattices.
β’ Believed to be hard for quantum computers.β’ Evidence of hardness βworst case to average
case reductionβ.β’ Versatile: Can essentially construct all
cryptosystems out of these assumptions.
My Researchβ’ New efficient cryptosystems from post-quantum
assumptionsβ Constant Round Group Key Exchange [1]
β’ Understanding the concrete hardness of NIST candidate cryptosystems [2], [3]
β’ Understanding the hardness of post-quantum cryptosystems under side-channel leakage [2], [4], [5]
[1] Constant-Round Group Key-Exchange from the Ring-LWE Assumption. D. Apon, D. Dachman-Soled, H. Gong, J. Katz. PQCrypto 2019.[2] LWE with Side Information: Attacks and Concrete Security Estimation. D. Dachman-Soled, L. Ducas, H. Gong, M. Rossi. IACR ePrint Cryptology archive.[3] Partial Key Exposure in Ring-LWE-Based Cryptosystems: Attacks and Resilience. D. Dachman-Soled, H. Gong, M. Kulkarni, A. Shahverdi. . IACR ePrint Cryptology archive.[4] (In)Security of Ring-LWE Under Partial Key Exposure. D. Dachman-Soled, H. Gong, M. Kulkarni, A. Shahverdi. Mathcrypt 2019. Journal of Mathematical Cryptology, to appear.[5] Towards a Ring Analogue of the Leftover Hash Lemma. D. Dachman-Soled, H. Gong, M. Kulkarni, A. Shahverdi. Mathcrypt 2019. Journal of Mathematical Cryptology, to appear.
Math Prelim
Matrix Multiplicationππ1,1 ππ1,2 ππ1,3ππ2,1 ππ2,2 ππ2,3ππ3,1 ππ3,2 ππ3,3
Γπ£π£1,πππ£π£2,πππ£π£3,ππ
= οΏ½ππ=1
3
π£π£ππ,ππ β ππ1,ππππ2,ππππ3,ππ
ππ1,1 ππ1,2 ππ1,3ππ2,1 ππ2,2 ππ2,3ππ3,1 ππ3,2 ππ3,3
Γπ£π£1,1 π£π£1,2 π£π£1,3π£π£2,1 π£π£2,2 π£π£2,3π£π£3,1 π£π£3,2 π£π£3,3
:
For ππ β 1,2,3 , ππ-th column of the output is computed as :
οΏ½ππ=1
3
π£π£ππ,ππ β ππ1,ππππ2,ππππ3,ππ
LatticesAn ππ-dimensional lattice L is an additive discrete subgroup of π π ππ. A basis π©π© β π π ππΓππ defines a lattice L(π©π©) in the following way:
πΏπΏ π©π© = {ππ β π π ππ π π . π‘π‘. ππ = π©π©π©π© for some π©π© β ππππ}.βinteger linear combinations of the basis vectorsβ
ππ
ππ-th successive minima ππππ(π³π³(π©π©)): The smallest radius ππ such that there are ππlinearly independent vectors {π£π£1, β¦ , π£π£ππ} of length at most ππ.
Shortest vector: (1,2)ππ1 = 5
Shortest basis: 3 11 2ππ2 = 10
LatticesAn ππ-dimensional lattice L is an additive discrete subgroup of π π ππ. A basis π©π© β π π ππΓππ defines a lattice L(π©π©) in the following way:
πΏπΏ π©π© = {ππ β π π ππ π π . π‘π‘. ππ = π©π©π©π© for some π©π© β ππππ}.βinteger linear combinations of the basis vectorsβ
ππ
Basis is not unique!
For the lattice to the right,3 11 2 form a basis
4 93 8 also form a basis
Given two bases π΅π΅,π΅π΅π΅, they define the same lattice iff π΅π΅π΅ = π΅π΅π΅π΅, where π΅π΅ is a unimodular matrix (determinant Β±1).
Hard Lattice Problemsβ’ Are all parameterized by βapproximation factorβ πΎπΎ > 1.β’ Shortest Vector Problem (SVP): Given a basis B, find a
non-zero vector ππ β πΏπΏ(π©π©) whose length is at most πΎπΎ β ππ1(πΏπΏ(π©π©)).
β’ Shortest Independent Vector Problem (SIVP): Given a basis B, find a linearly independent set {π£π£1, β¦ , π£π£ππ} such that all vectors have length at most πΎπΎ β ππππ(πΏπΏ(π©π©)).
β’ Gap Shortest vector problem (GapSVP): Given a basis B, and a radius r > 0 β Return YES if ππ1 πΏπΏ π΅π΅ β€ ππβ Return NO if ππ1 πΏπΏ π΅π΅ > πΎπΎ β ππ.
Believed hard even for a quantum
computer!
Cryptographic Hard Problems
The SIS Problem
= 0 ππππππ ππA zΓ
Problem: Given A, find z β 0,1 ππ
(or sufficiently βshortβ z)
Public ππ Γ ππ matrix A, with entries chosen at random over ππππ
ππ βͺ ππ
Dimension ππ
Dimension ππ
Relation to Lattices
β’ Worst-Case to Average-Case Reduction: Breaking the cryptosystem on average is as hard as breaking the hardest instance of the underlying lattice problem.
β’ SIS:β Worst-Case to Average-Case Reduction from SIVP.
CRHF from Lattices
CRHF from Lattices
Public Matrix:
Input:A z
To evaluate the hash on π§π§output:
Public ππ Γ ππ matrix A, with entries chosen at random over ππππ
π§π§ β 0,1 ππ
zΓA = u
π’π’ β ππππππ
CRHF from Lattices
A z
Given a collisionπ§π§1, π§π§2 β 0,1 ππ: π§π§1ΓA
π§π§2
Γ= A
Obtain(π§π§1βπ§π§2) ββ1,0,1 ππ: π§π§1Γ ( β )A = 0
π§π§2
The LWE Problem (Search)
A Γ s + e = u
Public ππ Γ ππ matrix A, with entries chosen at random over ππππ
Secret ππ-dimension vector s with entries chosen at random
ππ-dimension error vector e, with entries sampled from Ο.
Operations are mod p.
Problem: Given, A, u = As+e, find s.
The LWE Problem (Decision)
A Γ s + e = u
Public ππ Γ ππ matrix A, with entries chosen at random over ππππ
Secret ππ-dimension vector s with entries chosen at random
ππ-dimension error vector e, with entries sampled from Ο.
Operations are mod p.
β v
Problem: Distinguish (A , u) from (A, v)
Relation to Lattices
β’ Worst-Case to Average-Case Reduction: Breaking the cryptosystem on average is as hard as breaking the hardest instance of the underlying lattice problem.
β’ LWE:β Worst-Case to Average-Case Quantum Reduction
from SIVP.β Worst-Case to Average-Case Classical Reductions
from GapSVP.
Lattice-Based Encryption
Regevβs Cryptosystem [Regev β04]
A u
s
Public Key:
Secret Key:
u = As + e
Regevβs CryptosystemβEncryption of ππ β {0,1}
Ar
r
(1)
(2)
Γ
+ ππ β ππ2
r β 0,1 ππ chosen at random.
uΓ
Regevβs CryptosystemβDecryption
r
Ar sΓ
βu
Γ
Γ
+ ππ β ππ2
u = As + e
Regevβs CryptosystemβDecryption
r
Ar sΓ
βu
Γ
Γ + ππ β ππ2
u = As + e
Regevβs CryptosystemβDecryption
+ ππ β ππ2r
uΓ
r Γ
β
w w = As
u = As + e
= r Γ e + ππ β ππ2
Regevβs CryptosystemβDecryption
+ ππ β ππ2r
uΓ
r Γ
β
w w = As
u = As + e
= r Γ e + ππ β ππ2
β 0 + ππ β ππ2
Properties of LWE
β’ Equivalance of Search/Decision LWEβ’ Equivalence of LWE with random secret/secret
drawn from error distribution
Efficiencyβ’ Efficiency is a main concern in lattice-based
cryptosystems.β’ In both SIS and LWE-based cryptosystems, the
public key consists of a random matrix of size m Γ n (ππ β₯ ππ log ππ), requiring space ππ(ππ2log2 ππ) .β RSA and discrete-log based cryptosystems: public
key size is linear in the security parameter. β’ To reduce the public key size, consider lattices
with structure.β’ This is the Ring-LWE setting.
Ring-LWE Setting
β’ Highly efficient key exchange protocols are possible in the Ring-LWE setting. β Similar to Diffie-Hellman Key Exchange
β’ It is likely that at least one such scheme will be standardized by NIST.
β’ Details in the slides, but will skip in the lecture.
Summary
β’ Lattice-based cryptography is a promising approach for efficient, post-quantum cryptography.
β’ All the basic public key primitives can be constructed from these assumptions:β Public key encryption, Key Exchange, Digital
Signaturesβ’ For more information on research projects,
please contact me at: [email protected]
Thank you!
The Ring Settingβ’ Quotient ring Zππ[π₯π₯]/Ξ¦ππ(π₯π₯), where Ξ¦ππ is the m-th
cyclotomic polynomial of degree ππ(ππ)β e.g.,Ξ¦2ππ = π₯π₯ππ + 1,ππ = 2,ππ = 13. β π₯π₯2 = β1 ππππππ (π₯π₯2 + 1)β 12π₯π₯3 + 15π₯π₯2 + 9π₯π₯ + 25 β 12π₯π₯3 + 2π₯π₯2 + 9π₯π₯ +
12 β π₯π₯ β 2 + 9π₯π₯ + 12 β 10,10 .β’ Lattice is defined as an ideal πΌπΌ β ππ[π₯π₯]/Ξ¦ππ(π₯π₯). β’ Ring-LWE and ring-SIS problems are defined by
substituting the matrix A with polynomials from the quotient ring and substituting polynomial multiplication for matrix-vector multiplication.
β’ The public key is now a polynomial in Zππ[π₯π₯]/Ξ¦ππ(π₯π₯), and so can be described using ππ(ππ log ππ) bits.
NTT TransformConsider Ξ¦ππ, where ππ is a power of 2. Then degree is equal to ππ, power of 2, ππ = 2ππ. Ξ¦2ππ = π₯π₯ππ + 1β’ Consider prime ππ s.t. ππ = 1 ππππππ 2ππ.β’ Then we have ππ 2ππ-th primitive roots modulo ππ
β Why? ππππβ is cyclic with order ππ β 1. 2ππ | ππ β 1 .β Let ππ be a generator of ππππβ . ππ is a ππ β 1 -th primitive root.β ππππβ 2ππ = ππππβ1, since 2ππ | (ππ β 1). ππππ is a 2ππ-th primitive root.
Also (ππππ)ππ , where ππ is relatively prime to 2ππ.β Note that ππππ ππ = β1 ππππππ ππ. Modulo π₯π₯ππ + 1 means π₯π₯ππ = β1.β Let πΎπΎ1, β¦ , πΎπΎππ be the ππ number of 2ππ-th primitive roots
β’ For a polynomial ππ π₯π₯ β ππππ π₯π₯ /π₯π₯ππ+1β’ For every πΎπΎππ , ππ πΎπΎππ ππππππ ππ is equal to taking ππ(π₯π₯) modulo π₯π₯ππ + 1 and modulo ππ and then evaluating the reduced polynomial at πΎπΎππ.
NTT Transform
β’ For a polynomial ππ π₯π₯ β ππππ π₯π₯ /π₯π₯ππ+1β’ Evaluate ππ π₯π₯ on all ππ number of 2ππ-th
primitive roots. Obtain a vector ππ πΎπΎ1 β¦ ππ(πΎπΎππ).
β’ Can now do both addition and multiplication coordinate-wise.
Key Exchange from Ring-LWE
Simple Key Exchangeππ1 ππ2
π π 1 π π 2
(ππ,π’π’1 = ππ β π π 1 + ππ1)
(ππ,π’π’2 = ππ β π π 2 + ππ2)
π’π’2 β π π 1 β ππ β π π 2 β π π 1 π’π’1 β π π 2 β ππ β π π 1 β π π 2RECONCILIATION