lattice-based cryptography: security foundations and...

Lattice-Based Cryptography:Security Foundations and Constructions

Adeline Langlois

École Normale Supérieure de Lyon,

sous la direction de Damien Stehlé

Soutenance de thèse de doctorat – 17 octobre 2014

Adeline Langlois Lattice-Based Cryptography October 17, 2014 1/ 1

Lattice-based cryptography

Lattice

→ solve an algorithmic problem

•

•

• • •

• • •

• • •

• •

• •

• •

b1

Communication



Lattice


•

•

• • •

• • •

• • •

• •

• •

• •

b1

Communication

Adversary



Lattice


•

•

• • •

• • •

• • •

• •

• •

• •

b1

Communication

AdversaryHARD


Encryption scheme

Wants to senda message M

c = Enc(pk,M)c

Generates pairof keys pk, sk

pk

keeps sk

M ′ = Dec(sk, c)

Two requirements:Correctnessand Security

M = M ′ with high probability

c0 = Enc(pk,M0) indistinguishable from c1 = Enc(pk,M1)


Signature scheme

Two requirements:Correctnessand Security

Verify = 1 with high probabilityif σ is correct

adversary cannot forge a signature σ∗ for a new M∗

Wants to authenticatea message M

Generates a pairof keys (pk, sk)

σ = Sign(sk,M)

pk

(M,σ)

Anyone can verify:Verify(pk, σ,M) = 1?


Group signatures[Chaum, VanHeyst 91]

→ allow any member of a group to anonymously andaccountably sign on behalf of this group.

I Group manager (mpk,msk) + ski KeyGen, OpenI Group members (ski) SignI Anyone Verify

Group MembersGroup Manager

Anyone

KeyGen

Sign

Verify

Open


Outline

Lattice-Based Cryptography

Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical

Hardness of Learning with Errors. In proc. of STOC 2013.

I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.

Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group

Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.

I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.

Conclusion


Lattices

Given a lattice L(B) of dimension n and d > 0:Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,

• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ d.

•

•

• • •

• • •

• • •

• •

• •

• •

b1

b2

LatticeL(B) = {

∑n1=i aibi, ai ∈ Z}, where the (bi)1≤i≤n’s, linearly

independent vectors, are a basis of L(B).


Shortest Vector Problem (GapSVP)Given a lattice L(B) of dimension n and d > 0:

Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ d.

•

•

• • •

• • •0

• • •

• •

• •

• •

d

• • • • • • • •

• • • •0• • •

• • • • • • • •

d

LatticeL(B) = {

∑n1=i aibi, ai ∈ Z}, where the (bi)1≤i≤n’s, linearly

independent vectors, are a basis of L(B).


Gap Shortest Vector Problem (GapSVPγ)Given a lattice L(B) of dimension n and d > 0:

Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ γd.

•

•

• • •

• • •0

• • •

• •

• •

• •

d

γd

• • • • • • • • • • • • • • • • • • • • •

• • • • • • • • • • • • • • • • • • • • • •

• • • • • • • • • • • • • • • • • • • • • •

0

d

γd

ConjectureThere is no algorithm that approximates these lattice problems towithin polynomial factors γ = poly(n) with time polynomial in n.



From basic to very advanced primitivesI Public key encryption and Signature scheme (practical),

[Regev 05, Gentry, Peikert and Vaikuntanathan 08, Lyubashevsky 12 ...];I Identity/Attribute-based encryption, [GPV 08

Gorbunov, Vaikuntanathan and Wee 13 ...];I Fully homomorphic encryption,

[Gentry 09, Brakerski and Vaikuntanathan 11, ...].

AdvantagesI (Asymptotically) efficient;I Security proofs from the hardness of lattice problems;I Likely to resist attacks from quantum computers.


SISβParameters: n dimension, m ≥ n, q modulus.For A ← U(Zm×n

q ):

Small Integer Solution

x

A = 0 mod q

,A As

+ em

n

s ← U(Znq ),

e a small error ≈ αq.

Goal: Given A ← U(Zm×nq ),

Goal: Given ( A , A s + e ),

find x s.t. 0 < ‖ x ‖ ≤ β.

find s .

[Ajtai 96]

[Regev 05]


SISβ and LWEα

Parameters: n dimension, m ≥ n, q modulus.For A ← U(Zm×n

q ):

Small Integer Solution Learning With Errors

x

A = 0 mod q ,A As

+ em

n

s ← U(Znq ),

e a small error ≈ αq.

Goal: Given A ← U(Zm×nq ), Goal: Given ( A , A s + e ),find x s.t. 0 < ‖ x ‖ ≤ β. find s .

[Ajtai 96] [Regev 05]


Learning With Errorsdimension n, modulo q

A ← Uniform in Zm×nq

s ← Uniform in Znqe is a small error

m ≥ nand/orSIS

, find sGiven A As

+ em

n

Lattice

→ solve GapSVP

•

•

• • •

• • •

• • •

• •

• •

• •

b1

1. Security Foundations

2. Constructions

LWE-basedEncryption

SIS-basedSignature

LWE and SIS-basedGroup signature


Outline








Conclusion


Main result

Not quantum GapSVP in dimension√n

A classical reduction from a worst-case lattice problem to

the Learning With Errors problem with small modulus.

Dimension n Polynomial in n

I Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. ClassicalHardness of Learning with Errors. In the proceedings of STOC 2013.


The Learning With Errors problem [Regev 05]

LWEnq (with m arbitrarily large)

,find s

Given A As

+ e

m

n

I A← U(Zm×nq ),I s← U(Znq ),I e ∼ DZm,αq small with α = o(1).

αq

Discrete Gaussian error

Decision version: Distinguish from (A,b) with b uniform.


Prior reductions from worst-case lattice problem to LWE

I [Regev 05]I A quantum reduction;I with q polynomial.

I [Peikert 09]I A classical reduction;I with q exponential.

I [Peikert 09]I A classical reduction;I with q polynomial;I based on a non-standard lattice

problem.

Quantum computer?

Inefficient primitives

Hardness?


Prior reductions from worst-case lattice problem to LWE

I [Regev 05]I A quantum reduction;I with q polynomial.

I [Peikert 09]I A classical reduction;I with q exponential.

I [Peikert 09]I A classical reduction;I with q polynomial;I based on a non-standard lattice

problem.

Our main resultI A classical reduction,I from a standard worst-case

lattice problem,I with q polynomial.


Main component in the proof: a self reduction

I Recall that [Peikert09] already showed hardness of LWE with qexponential.

How do we obtain a hardness proof for p polynomial?

I All we have to do is show the following reduction:

A reduction from LWE with modulus q exponential to LWE withmodulus p polynomial.


Modulus Switching

A reduction from LWE with modulus q to LWE with modulus p.

How to map (A,As + e) mod q to (A′,A′s + e′) mod p?I Transform A←↩ U(Zm×nq ) to A′ ←↩ U(Zm×np );

First idea: A′ = b pqAe?

I Two main difficulties:1. The distribution is not uniform:

A naive rounding introducesartefacts.

solution

Add a Gaussian roundingto smooth the distribution:

A′ = pq A + R.

2. In A′s + e′, the rounding errors gets multiplied by the secret s(which is too large: uniform is Zn

q ).


From large to small secret

From LWE with arbitrary secret to LWE with binary secret.

I Inspired by ideas from cryptography (prior reduction by[Goldwasser, Kalai, Peikert and Vaikuntanathan 10]);but different and stronger techniques.

,find s

A As

+ em

n

I From s uniform in Znq to s uniform in {0, 1}n.I Consequence: it expands the dimension from n to n log q.


Summary of our new hardness proof of LWE

Our main resultA classical reduction from GapSVP in dimension

√n

to LWE in dimension n with poly(n) modulus.

Reductions of the proofProblem Dimension Modulus SecretGapSVP

√n

↓0 [Peikert 09]

LWE√n large Z

√n

q

↓1 NewLWE n large small↓2 New

LWE n poly(n) in Znq


Summary of our new hardness proof of LWE

Our main resultA classical reduction from GapSVP in dimension

√n

to LWE in dimension n with poly(n) modulus.

Other resultsThe hardness of LWEnq is a function of n log q.

Open problemsIs there a classical reduction as good as the one in [Regev 05]?1. We lose a quadratic term in the dimension;2. We do not have the same hard problem on lattices as Regev.


Outline








Conclusion


Main result

with N members

The first lattice-based group signature with

logarithmic signature size, and security under the

SIS and LWE assumptions in the Random Oracle Model.

hard problems

logarithmic in N

I F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based GroupSignature with Logarithmic Signature Size. In the proc. of Asiacrypt 2013.


Group Signatures[Chaum, VanHeyst 91]

Group signatures allow any member of a group toanonymously and accountably sign on behalf of this group.

I Group manager (mpk,msk) + ski KeyGen, OpenI Group members (ski) SignI Anyone Verify

Group MembersGroup Manager

Anyone

KeyGen

Sign

Verify

Open Security:• Anonymity• Traceability


Security: Anonymity and TraceabilitySecurity requirements [BellareMicciancioWarinschi03]

I AnonymityA given signature does not leak the identity of its originator. Two types: weak and full.

weak fullGiven ski for all users

opening oracleGoal distinguish between two users

I TraceabilityNo collusion of malicious users can produce a valid

signature that cannot be traced to one of them.

Given msk and ski of users in the collusionGoal create a valid signature that

traces to someone not in the collusion


Prior works

I Introduced by [Chaum, VanHeyst 91],I Generic construction [Bellare, Micciancio, Warinschi 03].

signature size

Realization based [Boyen, Boneh, constant number of elementson bilinear maps Shacham 04] of a large algebraic group

[Gordon, Katz,Lattice-based Vaikuntanathan 10] linear in N

[Camenisch, Neven, (number of group members)Rückert 10]

constructionsOur result logarithmic in N


Our construction

IngredientsI [Boyen 10]’s signature based on lattice trapdoors,I Dual-Regev encryption [Gentry, Peikert, Vaikuntanathan 08],I ZKPoK (proof of knowledge) adapted from [Lyubashevsky 12].

TrapdoorI TrapGen (A,TA) such that TA allows to find short x(’s)

x

A= 0 mod q

With TA, we can solve SIS.

Computing TA given A is hard,Constructing A and TA is easy.


Signature using trapdoors

I pk =(A , ( A

i)0≤i≤`

I

I skid = TAid

Given A ← U(Zm×nq ), find x s.t. 0 < ‖ x ‖ ≤ β and

x

A= 0 mod q

I Hard to solve given A ⇔ solve SISI Easy to solve given TA


Signature using trapdoors

I pk =(A , ( A

i)0≤i≤`

I

I skid = TAid


x

A= 0 mod q

I Hard to solve given A ⇔ solve SIS → pk = AI Easy to solve given TA → sk = TA


Signature using trapdoors [Boyen 10]

I pk =(A , ( A

i)0≤i≤`)

I sk = TA,

I skid = TAid


x

A

A0+∑iM [i]Ai

AM for M ∈ {0, 1}`

= 0 mod q

I Hard to solve given A M ⇔ solve SISI Easy to solve given TA


Application to group signatureI pk =

(A , ( A

i)0≤i≤`, (Bi)0≤i≤`

)s.t. BT

i · A i= 0 mod q

I msk = {TBi}i trapdoors for the Bi’s

I skid = TAid


x

A

A0+∑i id[i]Ai

Aid

= 0 mod q

I Hard to solve given A ⇔ solve SISI Easy to solve given TA


Our construction

I Create a temporary membership certificate:Boyen’s signature of id (using Tid).

I Encrypt this certificate: {ci}0≤i≤`.

I Prove that the ciphertext encrypts a valid certificatebelonging to a group member: π.

I Message?

Σ =({ci}0≤i≤`, π

)


Our construction

I Produce (x1||x2)T short such that:x1 x2

A

A0+∑i id[i]Ai

= 0 mod q

I Encrypt this certificate: {ci}0≤i≤`.


I Message?

Σ =({ci}0≤i≤`, π

)


Our construction


A

A0+∑i id[i]Ai

= 0 mod q

I Encrypt{

x2

idi · x2in ci’s using LWE-based encryption with Bi’s


I Message?

Σ =({ci}0≤i≤`, π

)


Our construction


A

A0+∑i id[i]Ai

= 0 mod q

I Encrypt{

x2

idi · x2in ci’s using LWE-based encryption with Bi’s


I ZKPoK made non-interactive ZKPoK via Fiat-Shamir,(incorporating the message in π).

Σ =({ci}0≤i≤`, π

)


Our construction

Verify:

I Check the proofs.

Open:

I Decrypt c0 ( x2)and check whether p−1ci or p−1(ci − x2) is close to the Zq-span of Bi.

I Size of the signatures: O(λ· log(N)).I Size of the key of member i: O(λ2).I λ = Θ(n) is the security parameter.


Anonymity and TraceabilityIn the random oracle model

AnonymityWeak anonymity under LWE.

TraceabilityTraceability under SIS.

I We also provide a variant with full-anonymity.


Open problems

I Making it practical,

I Improving the sizes of the signature and public key,

I Removing the Random Oracle Model.


Outline








Conclusion


Main contributions

I Classical hardness of LWE,

I Hardness of LWEnq is a function of n log q,

I First lattice-based group signature with logarithmic signaturesize (and a second scheme with verifier local revocation).

I A. Langlois, D. Stehlé, R. Steinfeld. GGHLite: More Efficient MultilinearMaps from Ideal Lattices. In proc. of Eurocrypt 2014.


Practical lattice-based cryptography

I Practical?I Ring variants since 2006:

A

Rot(a1)

Rot(am)

I Structured A ∈ Zm·n×nq represented by m · n elements,

I Product with a vector more efficient,I Hardness of Ring-SIS, [Lyubashevsky and Micciancio 06]

and [Peikert and Rosen 06]

I Hardness of Ring-LWE [Lyubashevsky, Peikert and Regev 11].


Open problems

I Security foundations

I Hardness of LWE without quadratic loss,

I Classical hardness of Ring-LWE.

I Constructions

I Practical group signature scheme,I Removing the Random Oracle Model.

I Practical and secure cryptographic multilinear maps.


Open problems

I Security foundations

I Hardness of LWE without quadratic loss,

I Classical hardness of Ring-LWE.

I Constructions

I Practical group signature scheme,I Removing the Random Oracle Model.

I Practical and secure cryptographic multilinear maps.

Thank You


lattice-based cryptography: security foundations and...

Documents