Foundations of Lattice Cryptography Daniele Micciancio Department - - PowerPoint PPT Presentation

Foundations of Lattice Cryptography

Daniele Micciancio

Department of Computer Science and Engineering University of California, San Diego

August 12-16, 2013, (UCI)

Daniele Micciancio Foundations of Lattice Cryptography

This Talk

Introduction to Lattice Cryptography for Math/non-CS

Assume familiarity with math (number theory, lattices, . . . ) Focus on computational issues, relevant to cryptography/computer science

High level view. If you want to know more ask questions! Cryptography ⊆ Math ∩ Computer Science

Same old lattices Many interesting questions, both from math and cryptography Here: what questions are relevant/important to cryptography? Will use familiar examples from number theory for illustration

Daniele Micciancio Foundations of Lattice Cryptography

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b1, . . . , bn} ⊂ Rn: L =

n

• i=1

bi · Z = {Bx: x ∈ Zn} The same lattice has many bases L =

n

• i=1

ci · Z Definition (Lattice) A discrete additive subgroup of Rn

b1 b2 c1 c2 Daniele Micciancio Foundations of Lattice Cryptography

Cryptography

Goal (informal): Build functions f : A → B that are hard to break Question 1: What does it mean to break a function?

Average-case vs Worst-case complexity Pseudorandomness . . . for now, assume “break” = “invert”

Question 2: How do we argue about f being hard to break?

Attacks/Cryptanalysis: study the best known algorithms to invert a function Security proofs: show that inversting the function allows to solve underlying mathematical problem

Daniele Micciancio Foundations of Lattice Cryptography

Familiar Example: Factoring based cryptography

Definition (Factoring problem) Given composite N ∈ N, find P, Q > 1 such that N = P · Q Cryptographic functions:

Square(x) = x2 mod N (Rabin) Cube(x) = x3 mod N (low exponent RSA)

x x3 Cube ??? Definition (loRSA inversion problem) Given N ∈ N, and y ∈ Z∗

N, find x such that Cube(x) = y.

Daniele Micciancio Foundations of Lattice Cryptography

Relation between Inversion and Factoring problems

Square, Cube are easy to invert if factorization N = P · Q is known

Invert modulo P and Q separately Combine the results using the Chinese Reminder Theorem

Factor N Invert x2 Invert x3 Factor N ??? If you can invert x2, then you can factor N:

Choose random x ∈ Z∗

N, and compute x′ =

√ x2 If x′ = ±x, then gcd(x − x′, N) ∈ {P, Q} gives out factorization

Daniele Micciancio Foundations of Lattice Cryptography

Lattice cryptography

Two “kinds” of cryptographic functions

Functions for which lattice algorithms are the best known, or most natural attack. (E.g., NTRU, Gentry FHE, . . . ) Lattice Problem Invert f Lattice Problem ??? Functions that are at least as hard to break as some standard lattice problem. (E.g., Ajtai, Regev, . . . ) Lattice Problem Invert f Lattice Problem

What does f look like? What Lattice Problem shall we use? f may look quite different from Lattice Problem!

Daniele Micciancio Foundations of Lattice Cryptography

Minimum Distance and Successive Minima

Minimum distance λ1 = min

x,y∈L,x=y x − y

= min

x∈L,x=0 x

Successive minima (i = 1, . . . , n) λi = min{r : dim span(B(r) ∩ L) ≥ i} Examples

Zn: λ1 = λ2 = . . . = λn = 1 Always: λ1 ≤ λ2 ≤ . . . ≤ λn

λ1 λ2 Daniele Micciancio Foundations of Lattice Cryptography

Distance Function and Covering Radius

Distance function µ(t, L) = min

x∈L t − x

Covering radius µ(L) = max

t∈span(L) µ(t, L)

Spheres or radius µ(L) centered around all lattice points cover the whole space

t µ

µ

Daniele Micciancio Foundations of Lattice Cryptography

Relations among lattice parameters

Theorem λ1(L) ≤ λ2(L) ≤ . . . ≤ λn(L) ≤ 2µ(L) ≤ √nλn(L) Theorem (Banaszczyk) 1 ≤ 2λ1(L) · ρ(L∗) ≤ n. 1 ≤ λi(L) · λn−i+1(L∗) ≤ n. Remarks:

1 µ ≈ λn (up to √n factors) 2 For some lattices λ1 ≪ λ2 ≪ . . . ≪ λn 3 For some lattices λ1 = λ2 = . . . = λn and 2µ = √nλn 4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn

Problem Give an explicit construction of a lattice satisfying (4)

Daniele Micciancio Foundations of Lattice Cryptography

Shortest Vector Problem

Definition (Shortest Vector Problem, SVPγ) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x ∈ Zk) of length (at most) Bx ≤ γλ1

2λ1 b1 b2 λ1 Bx = 5b1 − 2b2 Daniele Micciancio Foundations of Lattice Cryptography

Shortest Independent Vectors Problem

Definition (Shortest Independent Vectors Problem, SIVPγ) Given a lattice L(B), find n linearly independent lattice vectors Bx1, . . . , Bxn of length (at most) maxi Bxi ≤ γλn

2λ2 b1 b2 Bx1 λ2 Bx2 Daniele Micciancio Foundations of Lattice Cryptography

Closest Vector Problem

Definition (Closest Vector Problem, CVPγ) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx − t ≤ γµ from the target

t µ 2µ b1 b2 Bx Daniele Micciancio Foundations of Lattice Cryptography

Special Versions of SVP, SIVP and CVP

GapSVP: compute (or approximate) the value λ1 without necessarily finding a short vector GapSIVP: compute (or approximate) the value λn without necessarily finding short linearly independent vectors Bounded Distance Decoding (BDD): Solve CVP when µ(t, L) < λ1(L)/(2γ), Absolute Distance Decoding (ADD): Find lattice point Bx such that Bx − t ≤ γ · µ(L).

Daniele Micciancio Foundations of Lattice Cryptography

Relations among (general) lattice problems

SIVP ≈ ADD [MG’01] SVP ≤ CVP [GMSS’99] SIVP ≤ CVP [M’08] BDD SIVP CVP SVP [L’86] GapSVP ≈ GapSIVP [LLS’90,B’93] GapSVP BDD [LM’09] Public Key Cryptography Private Key Cryptography GapSVP GapSIVP BDD SIVP ADD SVP CVP Question What can we say the same about lattices with symmetries? See [PR’07] for SVP ≤ CVP.

Daniele Micciancio Foundations of Lattice Cryptography

Worst-case vs. Average-case Hardness

Definition (Factoring problem) Given composite N ∈ N, find P, Q > 1 such that N = P · Q Algorithm A solves the factoring problem if for any composite N, it outputs P, Q > 1 such that N = PQ. Factoring is hard = No efficient algorithm solves Factoring

Same as: for every efficient algorithm A there exists composite N such that A(N) does not output P, Q This is worst-case hardness: the hardest to factor N is indeed hard to factor

Not enough for cryptography!

It doesn’t matter if some key is hard to break You want assurance that your (randomly chosen) key is hard to break with high probebility Average-case hardness: most N are hard to factor

Daniele Micciancio Foundations of Lattice Cryptography

Difficulties with average-case complexity

Average-case complexity depends on input distribution Let N be a uniformly random integer in {1, . . . , 2n} Easy on average: N = 2 · N

2 with probability 50%!

Let N be uniformly random in {N ∈ {1, . . . , 2n}: N = P · Q} Still easy: there are O(2n/n) products with P = 2, and only O(2n/n2) products with P ≈ Q. Let N = P · Q where P, Q ∈ {1, . . . , 2n/2} are chosen uniformly at random Ok, maybe now we got it right. This is believed to be hard on average. Belief is based on many decades (or centuries) of hard work! Question How do we know a distribution is right for cryptography?

Daniele Micciancio Foundations of Lattice Cryptography

Average-case hardness: inversion problem

Definition (loRSA inversion problem) Given N ∈ N, and y = Cube(x), recover x Assume N = P · Q is a hard distribution for N Question: how shall we choose x? Answer: choose x ∈ Z∗

N uniformly at random

Why? This is provably the hardest distribution!

Assume we can invert Cube on the average (say, w/ prob. 1%) Say we want to invert y = Cube(x) (in the worst case) Compute y ′ = y · Cube(r) for randomly chosen r ∈ Z∗

N

Notice: x′ = x · r ∈ Z∗

N is uniformly random and Cube(x′) = y ′

Recover x′ = x · r (with probability 1%) Compute x = x′/r Repeat 100 times to boost success probability

Daniele Micciancio Foundations of Lattice Cryptography

Cryptographic functions

Definition (Ajtai’s function) fA(x) = Ax mod q where A ∈ Zn×m

q

and x ∈ {0, 1}m m n x ∈ {0, 1}m 1 1 1 (q = 10) A ∈ Zn×m

q

1 4 5 9 3 2 4 2 8 6 2 4 3 7 5 5 4 7 8 2 7 1 4 6 9 y = Ax ∈ Zn

q

2 2 7 1 Cryptanalysis (Inversion) Given A and y, find x ∈ {0, 1}m such that Ax = y

Daniele Micciancio Foundations of Lattice Cryptography

Ajtai’s function and lattice problems

Cryptanalysis (Inversion) Given A and y, find small solution x ∈ {0, 1}m to inhomogeneous linear system Ax = y (mod q) Inverting Ajtai’s function can be formulated as a lattice problem. Easy problem: find (arbitrary) integer solution t to system of linear equations At = y (mod q) All solutions to Ax = y are of the form t + L where L = {x ∈ Zm : Ax = 0 (mod q)} Cryptanalysis problem: find a small vector in t + L Equivalently: find a lattice vector v ∈ L close to t Inverting Ajtai’s function is an average case instance of the Closest Vector Problem where the lattice is chosen according to L, for A ∈ Zm×n

q

and x is a random “short” vector.

Daniele Micciancio Foundations of Lattice Cryptography

Breaking a function

What does it mean to “break” f : A → B? Recovery Problem: Given f and f (x), recover x

with nonnegligible probability when f , x are chosen at random

Inversion Problem: Given f and y ∈ B, find x s.t. f (x) = y

with nonnegligible probability when f , x are chosen at random

Decision Problem: Given f and y ∈ B, determine if y ∈ f (A)

Given random f and y ∈ B, determine if y was chosen as y = f (x) (for random x), or uniformly from y ∈ B.

Definition (Pseudorandomness) f (x) looks like a uniformly random element of f (A).

Daniele Micciancio Foundations of Lattice Cryptography

Pseudorandomness

the output of f : A → B is pseudorandom if f (A) looks like B. interesting property when |A| ≪ |B|. Very important in cryptography:

Typically f (x) is used as an input or key to some other cryptographic function If f (x) does not look random, it cannot be used as a key Example: if f (x) is used as a one-time pad, then correlations in f (x) reveal correlations in the message.

Pseudorandomness can be very tricky:

Example: square(x) = x2 (mod N) Decision problem: determine if y is a quadratic residue Are random quadratic residues hard to recognize? Is testing quadratic residuosity as hard as factoring?

Daniele Micciancio Foundations of Lattice Cryptography

Lattice Based Cryptography

Ajtai: fA(x) = Ax (mod q), where A ∈ Zn×m

q

and x ∈ {0, 1}m are chosen uniformly at random. Regev: Similar, but for parameters that make fA injective Lattice Problem: GapSVP approximate λ1 within a factor ˜ O(n) in the worst-case GapSVP Invert random f f (x) ≈ Zn

q?

This is the right way to use lattices!

Daniele Micciancio Foundations of Lattice Cryptography

Lattices with symmetries

Why use lattices with symmetries? fA(x) = Ax can be computed much faster when A is a structured matrix, both in theory and practice E.g., SWIFFT function [LMPR’08] performance comparable to block ciphers Mathematically attractive (algebraic number theory, etc.) Cryptanalysis: Are structured A’s easier to break? Is fA(x) still pseudorandom? Security proof: fA still hard to invert, assuming worst-case hardness of SVP

• n algebraic lattices [M’02]

One-way and pseudorandom even in the injective setting [LPR’10,LPR’13]

Daniele Micciancio Foundations of Lattice Cryptography

Limitations of proof based security analysis

Proof of security shows that uniform A ∈ Zn×m

q

is the right distribution for cryptography, fA(x) = Ax (mod q) is the right way to use A. However it does not provide a good indication of concrete hardness of breaking fA. Conclusion Security proof provides strong qualitative results pointing to the right distribution to be used in lattice cryptography Concrete security is better assessed by cryptanalysis / lattice algorithms

Daniele Micciancio Foundations of Lattice Cryptography

Lattice Algorithms

Best known attack against lattice cryprography Most accurate method to assess current security level of lattice cryptography Many other applications:

Algebraic Number Theory Factoring polynomials Coding theory Integer Programming . . .

Daniele Micciancio Foundations of Lattice Cryptography

The LLL Algorithm [LLL’82]

Landmark result in theoretical computer science Elegant theoretical analysis showing it approximates SVP within γ = 2O(n) factor Works much better in practice when run on “random” lattices Still, as dimension grows, experiments confirm γ = 2O(n) approximation Questions

1 Can we do better that LLL? 2 Can lattice algorithms take advantage of lattice symmetries? Daniele Micciancio Foundations of Lattice Cryptography

Beyond LLL: Exact Algorithms

Lattice algorithms for the exact solution of SVP, CVP, etc. Time Space Prob. Problem

• Enum. [K’87]

2O(n log n) poly no SVP, CVP, SIVP Sieve [AKS’01] 2O(n) exp yes SVP Voronoi [MV’10] 2O(n) exp no SVP, CVP, SIVP All work for arbitrary lattices Use very different techniques/ideas Can these methods take advantage of lattice symmetries? Can they solve BDD faster than SVP/CVP?

Daniele Micciancio Foundations of Lattice Cryptography

Beyond LLL: Polynomial time approximation

Generalize LLL using exact algorithms for SVP in small dimensional sublattices Block Korkine Zolotarev (BKZ) [Schnorr’87] Rankin/Mordell inequality [GHKN’06,GN’08,DM’13] Polynomial time approximation LLL+Enumeration: γ = 2O(n(log log n)2/ log n) LLL+Sieving: γ = 2O(n log log n/ log n) (randomized) LLL+Voronoi: γ = 2O(n log log n/ log n) Smooth trade-off between running time and approximation: γ ≈ 2O(n log log T/ log T)

Daniele Micciancio Foundations of Lattice Cryptography

References

MG Micciancio, Goldwasser (Springer 2001) GMSS Goldreich, Micciancio, Safra, Seifert (Inf. Proc. Letters, 1999) M Micciancio (SODA 2008) (FOCS 2002/Comp. Compl. 2007) L Lovasz (SIAM 1986) LLS Lagarias, Lenstra, Schnorr (Combinatorica 1990) B Banaszczyk (Math. Ann. 1993) LM Lyubashevsky, Micciancio (Crypto 2009) PR Peikert, Rosen (STOC 2007) LPR Lyubashevsky, Peikert, Regev (Eurocrypt 2010, 2013) LMPR Lyubashevsky, Micciancio, Peikert, Rosen (FSE 2008) LLL Lenstra, Lenstra, Lovasz (Math. Ann. 1982) K Kannan (STOC 1983) AKS Ajtai, Kumar, Sivakumar (STOC 2001) MV Miccincio, Voulgaris (STOC 2010, SIAM J. Comp. 2013) GHKN Gama, Howgrave-Graham, Koy, Nguuyen (Crypto 2006) GN Gama, Nguyen (STOC 2008) DM Dadush, Micciancio (SODA 2013)

Daniele Micciancio Foundations of Lattice Cryptography

Blurring a lattice

Consider an arbitrary lattice, and add noise to each lattice point until the en- tire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? [MR] r ≤ (log n) · √n · λn/2 Each point in a ∈ Rn can be written a = v + r where v ∈ L and r ≈ √nλn. a ∈ Rn is uniformly distributed. v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a v r a

Daniele Micciancio Foundations of Lattice Cryptography

Security of Ajtai’s function (sketch)

Generate random points ai = vi + ri, where

vi is a random lattice point ri is a random error vector of length ri ≈ √nλn

A = [a1, . . . , am] is distributed almost uniformly at random in Rn×m, q = nO(1), m = O(n log q) = O(n log n), so

if we can break Ajtai’s function fA, then we can find a vector z ∈ {−1, 0, 1}m such that

• (vi + ri)zi =
• aizi = 0

Rearranging the terms yields a lattice vector

• vizi = −
• rizi
• f length at most rizi ≈ √m · max ri ≈ n · λn

Daniele Micciancio Foundations of Lattice Cryptography