Lattice-based CryptographyOded RegevTel-Aviv University

Outline

Latticev1v202v1v1+v22v22v2-v12v2-2v1For vectors v1,,vn in Rn we define the lattice generated by them as L={a1v1++anvn | ai integers}

We call v1,,vn a basis of L

*Geometric objects with rich structureConsiderable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. Recently, many interesting applications in computer science. Some highlights:LLL algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovsz82]. Used for:Factoring rational polynomials,Solving integer programs in a fixed dimension,Breaking knapsack cryptosystems.Cryptanalysis:Coppersmiths attacks on RSACryptography:Ajtais one-way functions and the average case connection [Ajtai96] Lattice-based cryptosystems [AjtaiDwork97]History

SVP: given a lattice, find a shortest (nonzero) vector-approximate SVP: given a lattice, find a vector of length at most times the shortestOther lattice problems: SIVP, SBP, etc.Shortest Vector Problem (SVP)0v2v13v2-4v1

Conjecture: for any =poly(n), -approximate SVP is hardBest known algorithm runs in time 2n [AjtaiKumarSivakumar01]On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04]Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85]NP-hard for sub-polynomial [Ajtai97,Micciancio01,Khot04,HavivR07]

Lattice Problems Seem Hard2n loglogn/lognNP-hardP2log1-nnnNPcoNPcrypto1

Survey of Lattice-based Cryptography

Standard cryptography Not always provableSecurity based on an average-case problemBased on hardness of factoring, discrete log, etc.Broken by quantum algorithmsRequire modular exponentiation etc.

Why use lattice-based cryptographyLattice-based cryptography Provably secureSecurity based on a worst-case problemBased on hardness of lattice problems

(Still) Not broken by quantum algorithmsVery simple computationsCan do more things

Reduce solving a hard problem to breaking the cryptographic functionA security proof gives a strong evidence that our cryptographic function has no fundamental flawsCan also give hints as to choice of parameters

Example: One-wayness of modular squaringSomehow choose N=pq for two large primes p,qf(x)=x2 mod NIf we can compute square roots then we can factor N

Provable Security

How do you pick a good N in RSA?Just pick p,q as random large primes and set N=pq?(1978) Largest prime factors of p-1,q-1 should be large(1981) p+1 and q+1 should have a large prime factor(1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors(1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factorsBottom line: currently, none of this is relevantAverage-case hardness is not so nice

The cryptographic function is hard provided almost all N are hard to factorProvable security based on average-case hardnessNfN

The cryptographic function is hard provided the lattice problem is hard in the worst-caseThis is a much stronger security guaranteeIt assures us that our distribution is correctProvable security based on worst-case hardnessLfL

A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,xy s.t. f(x)=f(y)

First lattice-based CRHF given in [Ajtai96] Based on the worst-case hardness of n8-approximate SVPSecurity improved in subsequent works [GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04]Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04]

Collision-Resistant Hash Functions

The Modular Subset-Sum FunctionLet N be a big integer, and m=2log2NChoose a1,,am uniformly in {0,,N-1}. Then define fa1,,am:{0,1}m{0,,N-1} by

fa1,,am(b1,,bm) = biai mod N

Since m>log2N, (many) collisions existWe will later see a proof of security:Being able to find a collision in a randomly chosen f, even with probability n-100 implies a solution to any instance of approximate-SVP

In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash functionMore efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06]Essentially the same subset-sum function except over a different ringOnly O(n) bits needed to specify a hash functionBased on worst-case hardness of approximate-SVP on a restricted class of lattices (e.g., cyclic or ideal lattices)Recent Work: More Efficient CRHFs

A PKC allows parties to communicate securely without having to agree on a secret key beforehandFirst lattice-based PKC presented in [AjtaiDwork97] Some improvements [GoldreichGoldwasserHalevi97, R03,Peikert08]

Advantages:Worst-case hardnessBased on lattice problems (GapSVP)Main disadvantage: impractical! (think of n as 100):Public key size O(n4)Encryption expands by O(n2)Public-key Cryptosystem

A Recent Public-key Cryptosystem [R05]

Advantages:Worst-case hardnessBased on the main lattice problems (SVP, SIVP)Main advantage: practical! (think of n as 100):Public key size O(n)Encryption expands by O(n)One (minor?) disadvantage:Breaking the cryptosystem implies an efficient quantum algorithm for lattices Introduced the LWE problem (used in [PVW08, PW08, Pei09a, Pei09b, AGV09, ACPS09, KS06, CHK09, ...])

Example of a lattice-based PKC [R05]21 + 02 + 10 + 23 111 + 22 + 20 + 33 201 + 22 + 00 + 33 111 + 22 + 00 + 23 001 + 32 + 10 + 33 331 + 32 + 00 + 23 22 0 1 21 2 2 30 2 0 31 2 0 20 3 1 33 3 0 22? + 0? + 1? + 2? 11? + 2? + 2? + 3? 20? + 2? + 0? + 3? 11? + 2? + 0? + 2? 00? + 3? + 1? + 3? 33? + 3? + 0? + 2? 23? + 2? + 1? + 0? 321 + 02 + 10 + 23 = 011 + 22 + 20 + 33 = 201 + 22 + 00 + 33 = 111 + 22 + 00 + 23 = 301 + 32 + 10 + 33 = 331 + 32 + 00 + 23 = 3

Construction of a Lattice-based Collision Resistant Hash Function

Blurring a Picture

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

Blurring a Lattice

The Smoothing RadiusDefine the smoothing radius =(L)>0 as the smallest real such that adding Gaussian blur of radius to L yields an essentially uniform distributionThe radius was analyzed in [MicciancioR04] based on Fourier analysis and [Banaszczyk93]It was shown that is small in the sense that finding vectors of length poly(n)(L) implies solution to poly(n)-approximate SVP

An Alternative DefinitionDefine h:Rn![0,1)n that maps any x=ivi toh(x)=(1,,n) mod 1.E.g., any xL has h(x)=(0,,0)

Then an alternative way to define is as:The smallest real such that if x is sampled from a Gaussian distribution centered around 0 of radius , then h(x) is essentially uniform on [0,1)n

0(0,0)(1,0)(0,1)(1,1)h(x3)Rn[0,1)n h(x2)h(x4)h(x1)

Our CRHFFix the dimension n, let q=22n, and m=4n2Choose a1,,am uniformly in Zqn. Then define fa1,,am:{0,1}m{0,1}nlog2q by

fa1,,am(b1,,bm) = biai (mod q)

Since m>nlog2q, (many) collisions existWe now prove security by showing that:Being able to find a collision in a randomly chosen fa1,,am, even with probability n-100, implies a solution to any instance of poly(n)-approximate SVP

Security ProofAssume there exists an algorithm CollisionFind that given a1,,am chosen uniformly in Zqn, finds with some non-negligible probability b1,,bm{-1,0,1} (not all zero) such that biai = 0 (mod q).This implies an algorithm CollisionFind that given a1,,am chosen uniformly from [0,1)n, finds with some non-negligible probability b1,,bm{-1,0,1} (not all zero) such that biai (0,,0) (mod 1)(up to m/q in each coordinate)

CollisionFind(0,0)(1,0)(0,1)(1,1)a1a2a3a4a5Output: a1+a2-a4+a5(0,,0) (mod 1)a6

Security ProofOur goal is to show that using CollisionFind we can find a nonzero vector of length at most poly(n)(L) in any given lattice L

So let L be a given lattice with basis v1,,vn

By using the LLL algorithm, we can assume that v1,,vn are not unreasonably long: say, of length at most 2n(L)

Security Proof Main ProcedureSample m vectors x1,,xm from the Gaussian distribution around 0 of radius Compute a1:=h(x1),,am:=h(xm)Each ai is uniformly distributed in [0,1)nApply CollisionFind to obtain b1,,bm {-1,0,1} such that bih(xi) (m/q,,m/q) (mod 1)Define y=bixi. Then,y is short (of length m)y is extremely close to a lattice point since h(y)=bih(xi)(m/q,,m/q) (mod 1)

Security Proof Main ProcedureWrite y=ivi for some reals 1,,nSo each i is within m/q of an integerDefine the lattice vector y=iviThe distance

So y is a lattice vector of length at most (m+1)

0CollisionFind(a1,a2,a3,a4)-a2-a3+a40 (mod 1)yy

Security Proof One Last IssueHow to guarantee that y is nonzero?Maybe CollisionFind acts in some malicious way, trying to make y zeroIt can be shown that ai does not contain enough information about xiIn other words, conditioned on any fixed ai, xi still has enough randomness to guarantee that y is nonzero with very high probability

All lattices look the same after adding some small amount of blur

Security Proof ConclusionBy a single call to the collision finder, we can find in any lattice, a nonzero vector of length at most (m+1) with some non-negligible probabilityBy repeating this procedure we can obtain such a vector with very high probabilityThe essential idea:

Open ProblemsEstablish recommended parametersCryptanalysisKnown attacks limited to low dimension [NguyenStern98]New systems [Ajtai05,R05] are efficient and can be used with high dimensionsImproved cryptosystemsUse special classes of lattices

Related to Math, CS, physicsMany more works that I dont mentionLLL gives a very bad approximationThe reason lattices are interesting, especially in cryptography: hard problems with lots of structureAjtai work resulted in many papers, even a recent book% he proved that the problem is hard on average case: a random instance is hard as a worst case instance Explain the importance of average case hardness factoring is easy 100003*2=200006---------------------------------------Explain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Simply subset sum, no wavy distributionFamily of functionsExplain the importance of average case hardness factoring is easy 100003*2=200006Explain the importance of average case hardness factoring is easy 100003*2=200006Approximation factors are quite good tooThis gives n^2 but n can be achieved---------------------------------------Simply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functionsSimply subset sum, no wavy distributionFamily of functions