From linear algebra to post-quantum cryptography Dr. Ir. Fr e - - PowerPoint PPT Presentation

Quantum computers and factoring Learning with errors Cryptography from LWE

From linear algebra to post-quantum cryptography

• Dr. Ir. Fr´

e Vercauteren

frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven (Belgium)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computers and factoring Learning with errors Cryptography from LWE

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Post-quantum public key cryptography

◮ Currently only two types PK are popular ◮ Factoring based: given n = p · q, find p and q ◮ Discrete logarithm based: given g and h = ga mod p, find a

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Post-quantum public key cryptography

◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Post-quantum public key cryptography

◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA ◮ Shor (1994): quantum algorithm for factoring and dlog in

time ˜ O((log N)2)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Post-quantum public key cryptography

◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA ◮ Shor (1994): quantum algorithm for factoring and dlog in

time ˜ O((log N)2)

◮ Need for new constructions for the post-quantum era

◮ Lattice based ◮ Multivariate polynomial based ◮ Code based ◮ Hash based ◮ Supersingular isogenies

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computers

◮ Classical computer: bits, either 0 or 1 ◮ Quantum computer: quantum bit (qubit) ◮ Qubit: superposition of two basic states |0 and |1

|φ = α0|0 + α1|1 , α0, α1 ∈ C, |α0|2 + |α1|2 = 1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computers

◮ Classical computer: bits, either 0 or 1 ◮ Quantum computer: quantum bit (qubit) ◮ Qubit: superposition of two basic states |0 and |1

|φ = α0|0 + α1|1 , α0, α1 ∈ C, |α0|2 + |α1|2 = 1

◮ αi is called amplitude of |i in |φ ◮ Impossible to “see” the superposition itself ◮ Measurement: quantum state collapses into basic state |i

with probability |αi|2

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computers

◮ Quantum register: n qubits can be in superposition of

N = 2n basic states |00 . . . 0, |00 . . . 1, . . . , |11 . . . 1

◮ Quantum state: |φ = N−1 i=0 αi|i with N−1 i=0 |αi|2 = 1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computation

◮ Quantum mechanics only allows linear operations applied

to quantum state

◮ A state |φ = N−1 i=0 αi|i with “coordinates” (α0, . . . , αN−1)

get mapped to U      α0 α1 . . . αN−1      =      β0 β1 . . . βN−1     

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computation

◮ Quantum mechanics only allows linear operations applied

to quantum state

◮ A state |φ = N−1 i=0 αi|i with “coordinates” (α0, . . . , αN−1)

get mapped to U      α0 α1 . . . αN−1      =      β0 β1 . . . βN−1     

◮ Since RHS has norm 1 as well, U has to be unitary ◮ Note general U has exponential size . . .

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computation

◮ Quantum gate: unitary matrix on small number of qubits ◮ Main example: 1-qubit Hadamard transform H given by

(α0, α1) → 1

√ 2 1 √ 2 1 √ 2

− 1

√ 2

α0 α1

• ◮ Maps basic state |0 into superposition

1 √ 2|0 + 1 √ 2|1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum computation

◮ Quantum gate: unitary matrix on small number of qubits ◮ Main example: 1-qubit Hadamard transform H given by

(α0, α1) → 1

√ 2 1 √ 2 1 √ 2

− 1

√ 2

α0 α1

• ◮ Maps basic state |0 into superposition

1 √ 2|0 + 1 √ 2|1 ◮ Hadamard on each qubit of n-bit register gives (N = 2n)

1 √ N |0 + 1 √ N |1 + . . . + 1 √ N |N − 1

◮ Matrix U is n-fold tensor product of 2 × 2 above

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum parallelism

◮ Given function f : {0, 1}n → {0, 1}m, make quantum circuit

U that maps |x|0 into |x|f(x)

◮ Apply U to a superposition gives

U   1 √ 2n

• x∈{0,1}n

|x|0   = 1 √ 2n

• x∈{0,1}n

|x|f(x)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum parallelism

◮ Given function f : {0, 1}n → {0, 1}m, make quantum circuit

U that maps |x|0 into |x|f(x)

◮ Apply U to a superposition gives

U   1 √ 2n

• x∈{0,1}n

|x|0   = 1 √ 2n

• x∈{0,1}n

|x|f(x)

◮ This by itself is totally useless since observing the above

state gives a random |x|f(x)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

(Quantum) Fourier Transform

◮ Set N = 2n, and set ωN = exp(2πi/N) a primitive N-th root

• f unity

◮ QFT: maps standard basis |x into state

1 √ N

N−1

• y=0

ωxy

N |y ◮ 2n-QFT can be computed by composition of n(n − 1)/2

quantum gates

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Factoring via period finding

◮ Given an N one wants to factor, fix m coprime to N ◮ Define f : N → Z/NZ : k → mk mod N, ◮ f(x) = f(x + r) with period r order of m modulo N

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Factoring via period finding

◮ Given an N one wants to factor, fix m coprime to N ◮ Define f : N → Z/NZ : k → mk mod N, ◮ f(x) = f(x + r) with period r order of m modulo N ◮ Assume r is even then

mr − 1 ≡ (mr/2 + 1)(mr/2 − 1) = kN

◮ Compute gcd(mr/2 − 1, N) as factor of N ◮ Probability > 1/4 the above is non-trivial

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 1: two quantum registers:

◮ n-qubit register with N2 < 2n ≤ 2N2 ◮ ⌈log2 N⌉ qubit register

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 1: two quantum registers:

◮ n-qubit register with N2 < 2n ≤ 2N2 ◮ ⌈log2 N⌉ qubit register

◮ 2: use Hadamard n times to create superposition

1 √ 2n

• x∈{0,1}n

|x|0

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 1: two quantum registers:

◮ n-qubit register with N2 < 2n ≤ 2N2 ◮ ⌈log2 N⌉ qubit register

◮ 2: use Hadamard n times to create superposition

1 √ 2n

• x∈{0,1}n

|x|0

◮ 3: Apply function f(x) = mx mod N to the above state

1 √ 2n

• x∈{0,1}n

|x|mx mod N

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 4: measure second register, so it collapses to one value,

say ms mod N (ignore second register) ⋆

• s+jr<2n

|s + jr

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 4: measure second register, so it collapses to one value,

say ms mod N (ignore second register) ⋆

• s+jr<2n

|s + jr

◮ 5: apply 2n point QFT which gives

• x

αx|x where αx ≃ 0 for all x not close to a multiple of q/r

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm = period finding

◮ 4: measure second register, so it collapses to one value,

say ms mod N (ignore second register) ⋆

• s+jr<2n

|s + jr

◮ 5: apply 2n point QFT which gives

• x

αx|x where αx ≃ 0 for all x not close to a multiple of q/r

◮ 6: measuring gives b very close to kq/r for some k ◮ 7: recover r, k from b and q using continued fractions

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Shor’s algorithm example

◮ Factor N = 33 ◮ Choose m = 2 which has order r = 10 ◮ Measurement will give integer close to multiple of 256/10

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum algorithms

◮ Shor’s algorithm: ˜

O((log N)2) steps on a quantum computer, needs 3 log N qubits

◮ Discrete logarithms: compute a given h = ga mod p and g

◮ Function f : Z × Z → G : (x, y) → h−x · gy ◮ Note that f(x, y) = f(x + 1, y + a), so f has period (1, a)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum algorithms

◮ Shor’s algorithm: ˜

O((log N)2) steps on a quantum computer, needs 3 log N qubits

◮ Discrete logarithms: compute a given h = ga mod p and g

◮ Function f : Z × Z → G : (x, y) → h−x · gy ◮ Note that f(x, y) = f(x + 1, y + a), so f has period (1, a)

◮ Grover’s algorithm: find pre-image of function

◮ given f : A → B, and b ∈ B, find x s.t. f(x) = b ◮ If N = |A|, Grover only requires O(

√ N) steps

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Quantum algorithms

◮ Shor’s algorithm: ˜

O((log N)2) steps on a quantum computer, needs 3 log N qubits

◮ Discrete logarithms: compute a given h = ga mod p and g

◮ Function f : Z × Z → G : (x, y) → h−x · gy ◮ Note that f(x, y) = f(x + 1, y + a), so f has period (1, a)

◮ Grover’s algorithm: find pre-image of function

◮ given f : A → B, and b ∈ B, find x s.t. f(x) = b ◮ If N = |A|, Grover only requires O(

√ N) steps

◮ General belief: major speed-up only for problems that are

not in P nor NP-complete

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Linear algebra over Zq

◮ Let q be a prime and Zq ≃ Z/qZ the field with q elements ◮ System of m linear equations in n unknowns (m ≥ n)

          a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . . . . . . . . . . . an,1 an,2 · · · an,n . . . . . . . . . . . . am,1 am,2 · · · am,n           ·      s1 s2 . . . sn      =           c1 c2 . . . cn . . . cm          

◮ Given matrix A and vector C, Gaussian elimination finds si

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Distorting right hand side

◮ Instead of exact vector C, only given vector B with

          b1 b2 . . . bn . . . bm           =           c1 c2 . . . cn . . . cm           +           e1 e2 . . . en . . . em          

◮ Error terms ei are small wrt. q

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Distorting right hand side

◮ Instead of exact vector C, only given vector B with

          b1 b2 . . . bn . . . bm           =           a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . . . . . . . . . . . an,1 an,2 · · · an,n . . . . . . . . . . . . am,1 am,2 · · · am,n           ·      s1 s2 . . . sn      +           e1 e2 . . . en . . . em          

◮ Error terms ei are small wrt. q

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Learning With Errors (LWE) Problem: search

Regev ’05: On lattices, learning with errors, random linear codes,

and cryptography

◮ Secret vector s ∈ Zn q for some fixed n and q ◮ An oracle generates random a ∈ Zn q and a small error e ◮ The oracle outputs a, b := a, s + e mod q ◮ Process is repeated many times for fresh a and e

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Learning With Errors (LWE) Problem: search

Regev ’05: On lattices, learning with errors, random linear codes,

and cryptography

◮ Secret vector s ∈ Zn q for some fixed n and q ◮ An oracle generates random a ∈ Zn q and a small error e ◮ The oracle outputs a, b := a, s + e mod q ◮ Process is repeated many times for fresh a and e

          a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . . . . . . . . . . . an,1 an,2 · · · an,n . . . . . . . . . . . . am,1 am,2 · · · am,n           ·      s1 s2 . . . sn      +           e1 e2 . . . en . . . em           =           b1 b2 . . . bn . . . bm          

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Discrete Gaussian distribution

◮ The error distribution χ is typically discrete Gaussian

distribution χσ on Z

◮ Definition = discretization of continuous Gaussian

distribution: for z ∈ Z χσ(z) ∼ exp −z2 2 · σ2

• −25

−20 −15 −10 −5 5 10 15 20 25 0.02 0.04 0.06 0.08 0.1 0.12 0.14 z Pr(E=z)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Learning With Errors (LWE) Problem: decision

Distinguish between two distributions: LWE distribution Uniform distribution Fixed s ∈ Zn

q

ai uniform random in Zn

q

ai uniform random in Zn

q

ei small random error from χ bi uniform random in Zq (a1, b1 := a1, s + e1 mod q) (a1, b1) (a2, b2 := a2, s + e2 mod q) (a2, b2) . . . . . . (am, bm := am, s + em mod q) (am, bm)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Learning With Errors (LWE) Problem: decision

Distinguish between two distributions: LWE distribution Uniform distribution Fixed s ∈ Zn

q

ai uniform random in Zn

q

ai uniform random in Zn

q

ei small random error from χ bi uniform random in Zq (a1, b1 := a1, s + e1 mod q) (a1, b1) (a2, b2 := a2, s + e2 mod q) (a2, b2) . . . . . . (am, bm := am, s + em mod q) (am, bm)

◮ Basically says that bi look completely random

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Gaussian elimination for LWE?

   b1 b2 . . .    =    a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . .    ·    s1 s2 . . .    +    e1 e2 . . .   

◮ Eliminate a2,1 by computing A[2] − a−1 1,1a2,1A[1] ◮ Element a−1 1,1a2,1 is typically large so blows up error e1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Gaussian elimination for LWE?

   b1 b2 . . .    =    a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . .    ·    s1 s2 . . .    +    e1 e2 . . .   

◮ Eliminate a2,1 by computing A[2] − a−1 1,1a2,1A[1] ◮ Element a−1 1,1a2,1 is typically large so blows up error e1 ◮ Only combine equations with equal aj,1 and ak,1 ◮ Blum, Kalai, Wasserman ’03:

◮ combine equations with equal blocks of coefficients

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Getting rid of the errors?

◮ Given b ∈ Zm×1 q

and A ∈ Zm×n

q

with b = A · s + e

◮ Errors are small when reduced in the interval [−q/2, q/2] ◮ ❀ global problem with natural notion of smallness

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Getting rid of the errors?

◮ Given b ∈ Zm×1 q

and A ∈ Zm×n

q

with b = A · s + e

◮ Errors are small when reduced in the interval [−q/2, q/2] ◮ ❀ global problem with natural notion of smallness ◮ Consider the set of vectors in Zm

L(A) = {z ∈ Zm | z = A · x mod q and x ∈ Zn

q} ◮ Note that if z1, z2 ∈ L(A) we have z1 − z2 ∈ L(A) ◮ If e = 0, then b ∈ L(A) but still quite close to it

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Lattices

A lattice L ⊂ Rm generated by R-linearly independent vectors

• b1, . . . ,

bn ∈ Rm L = L( b1, . . . , bn) = {

n

• i=1

xi bi | xi ∈ Z} ,

◮ Lattice dimension: n = dim(L) ◮ Embedding dimension: m ◮

b1, . . . , bn is a lattice basis (not unique)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Infinitely many bases

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Lattice minima: λi(L)

◮ There exists a shortest non-zero vector, its length is λ1(L) ◮ For i ≤ d, λi(L) is the minimum radius r for which B(

0, r) contains i linearly independent lattice vectors b2 b1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

The shortest vector problem: SVP and SIVP

◮ SVP: given a basis of L, compute a vector of length λ1(L) ◮ γ-SVP: compute a vector of length ≤ γ · λ1(L) ◮ γ-GapSVP: decide if λ1(L) ≤ 1 or λ1(L) > γ ◮ SIVP: shortest independent vector problem ◮ γ-SIVP: compute n linearly independent vectors vi with

||vi|| ≤ γ · λn(L)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

The closest vector problem: CVP and BDD

◮ Given L and a vector t, compute a lattice vector closest to t ◮ γ-CVP: Given a basis of L and a target vector t, compute a

lattice vector v such that v − t ≤ γ · minb∈L b − t

◮ BDDd: CVP where t is closer than a given bound d

t CVP(t)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Hardness results

Solving these problems for a small γ is infeasible

◮ CVP: NP-hard under deterministic reductions, even with

preprocessing (van Emde Boas, Micciancio).

◮ γ-SVP: NP-hard under randomized reductions for γ < 2

(Ajtai, Micciancio, Khot).

◮ γ-SVP: not NP-hard for γ ≥ √n log n under a reasonable

assumption (Goldreich & Goldwasser).

◮ Random instances of nc-SVP are not easier than

worst-case instances when c is larger than some constant (Ajtai, Regev).

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Getting rid of the errors?

◮ Recall that LWE samples can be written as b = A · s + e

where A is an m × n matrix over Zq

◮ Consider the lattice

L(A) = {z ∈ Zm | z = A · x mod q and x ∈ Zn

q} ◮ Note that the vector b is at distance ||e|| of L(A) ◮ Solving BDDd with d ≥ ||e|| removes errors

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Solving decision-LWE via lattices

◮ Recall that LWE samples can be written as b = A · s + e

where A is an m × n matrix over Zq

◮ Let w ∈ Z1×m be a vector with w · A = 0 ◮ Then w · b = w · A · s + w · e = w · e ◮ If w is short, then w · e will not be uniform if sample is LWE

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Solving decision-LWE via lattices

◮ Recall that LWE samples can be written as b = A · s + e

where A is an m × n matrix over Zq

◮ Let w ∈ Z1×m be a vector with w · A = 0 ◮ Then w · b = w · A · s + w · e = w · e ◮ If w is short, then w · e will not be uniform if sample is LWE ◮ Consider the lattice

L⊥(A) = {w ∈ Zm | w · A = 0 mod q}

◮ Finding short vectors in L⊥(A) breaks decision LWE

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Properties of the LWE Problems

◮ LWE is proven to be as hard as worst-case lattice

problems (GapSVP and SIVP)

◮ Gaussian parameter should be large enough

√ 2π · σ > √n

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Properties of the LWE Problems

◮ LWE is proven to be as hard as worst-case lattice

problems (GapSVP and SIVP)

◮ Gaussian parameter should be large enough

√ 2π · σ > √n

◮ Easy to test if a candidate s′ ∈ Zn q is a real solution

◮ test whether bi − ai, s′ is small for all i

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Properties of the LWE Problems

◮ LWE is proven to be as hard as worst-case lattice

problems (GapSVP and SIVP)

◮ Gaussian parameter should be large enough

√ 2π · σ > √n

◮ Easy to test if a candidate s′ ∈ Zn q is a real solution

◮ test whether bi − ai, s′ is small for all i

◮ Given LWE problem with secret s, can easily create LWE

problem for secret s + t

◮ Replace bi with bi+ < ai, t > ◮ Random self reduction

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Properties of the LWE Problems

◮ LWE is proven to be as hard as worst-case lattice

problems (GapSVP and SIVP)

◮ Gaussian parameter should be large enough

√ 2π · σ > √n

◮ Easy to test if a candidate s′ ∈ Zn q is a real solution

◮ test whether bi − ai, s′ is small for all i

◮ Given LWE problem with secret s, can easily create LWE

problem for secret s + t

◮ Replace bi with bi+ < ai, t > ◮ Random self reduction

◮ Search and decision problems are equivalent (easy for q

prime O(poly(n))

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Properties of the LWE Problems

◮ LWE is proven to be as hard as worst-case lattice

problems (GapSVP and SIVP)

◮ Gaussian parameter should be large enough

√ 2π · σ > √n

◮ Easy to test if a candidate s′ ∈ Zn q is a real solution

◮ test whether bi − ai, s′ is small for all i

◮ Given LWE problem with secret s, can easily create LWE

problem for secret s + t

◮ Replace bi with bi+ < ai, t > ◮ Random self reduction

◮ Search and decision problems are equivalent (easy for q

prime O(poly(n))

◮ Secret s can be taken from the error distribution χ

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Search LWE ≤P Decision LWE

◮ Given an oracle that solves Decision LWE, we will solve

the Search LWE

◮ Idea: use Decision oracle to deduce coefficients of s one

at a time

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Search LWE ≤P Decision LWE

◮ Given an oracle that solves Decision LWE, we will solve

the Search LWE

◮ Idea: use Decision oracle to deduce coefficients of s one

at a time

◮ Make guess g for the first coefficient of s ◮ Change each sample (a, b) in (a + (r, 0, . . . , 0), b + g · r)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Search LWE ≤P Decision LWE

◮ Given an oracle that solves Decision LWE, we will solve

the Search LWE

◮ Idea: use Decision oracle to deduce coefficients of s one

at a time

◮ Make guess g for the first coefficient of s ◮ Change each sample (a, b) in (a + (r, 0, . . . , 0), b + g · r) ◮ Submit new LWE instance to Decision oracle

◮ If guess g is correct, then new instance has LWE

distribution

◮ If guess g is incorrect, then new instance has uniform

distribution

◮ Repeat for other coefficients of s

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Cryptographic Applications of LWE

◮ LWE is as hard as worst case lattice problems, that are

believed to be exponentially hard

◮ LWE has been used as the basis for:

◮ Public key encryption ◮ Key agreement ◮ Digital signatures ◮ Identity-based encryption ◮ Many more exotic things . . .

◮ Main downside: inefficient both in space and time (see

next slide)

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Public Key Encryption based on LWE

◮ Private key: secret vector s ∈ Zn q chosen uniform random ◮ Public key: m samples from LWE distribution with secret

s, given as m × n matrix A and m × 1 matrix B

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Public Key Encryption based on LWE

◮ Private key: secret vector s ∈ Zn q chosen uniform random ◮ Public key: m samples from LWE distribution with secret

s, given as m × n matrix A and m × 1 matrix B

◮ Encryption: for each bit b of message do

◮ choose random vector r ∈ Zm

q with small coefficients

◮ ciphertext = (c, d) = (rt · A, rt · B + b · ⌊ q

2⌋) ∈ Zn q × Zq

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Public Key Encryption based on LWE

◮ Private key: secret vector s ∈ Zn q chosen uniform random ◮ Public key: m samples from LWE distribution with secret

s, given as m × n matrix A and m × 1 matrix B

◮ Encryption: for each bit b of message do

◮ choose random vector r ∈ Zm

q with small coefficients

◮ ciphertext = (c, d) = (rt · A, rt · B + b · ⌊ q

2⌋) ∈ Zn q × Zq

◮ Decryption: given ciphertext (c, d)

◮ if d − c, s closer to 0 than to ⌊ q

2⌋ modulo q, then message

is 0 else it is 1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Public Key Encryption based on LWE

Private/public key setup:

A S E B + =

Encryption:

R R B A + Z ,

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Main problem with LWE: requires n elements in Zq to

generate only one extra random looking element in Zq a, b :=< a, s > +e

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Main problem with LWE: requires n elements in Zq to

generate only one extra random looking element in Zq a, b :=< a, s > +e

◮ Instead of inner product, try to use another type of product

such that result is again in Zn

q and not just Zq ◮ First idea: coordinate wise multiplication

◮ Not secure since each coordinate is independent ◮ Easy search to find each coordinate of s

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Better idea: use multiplication in polynomial ring ◮ Consider R := Zq[x]/(xn + 1) with n = 2k ◮ Then can identify Zn q with R by

[a0, a1, . . . , an−1] →

n−1

• i=0

aixi

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Better idea: use multiplication in polynomial ring ◮ Consider R := Zq[x]/(xn + 1) with n = 2k ◮ Then can identify Zn q with R by

[a0, a1, . . . , an−1] →

n−1

• i=0

aixi

◮ Addition is simply coordinate wise addition ◮ Multiplication is polynomial multiplication followed by

reduction modulo xn + 1

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Ring-LWE:

◮ secret element s ∈ R ◮ elements ai chosen randomly in R ◮ coefficients noise polynomial ei small independent normal

variables

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Ring-LWE:

◮ secret element s ∈ R ◮ elements ai chosen randomly in R ◮ coefficients noise polynomial ei small independent normal

variables

◮ Search: given many tuples (ai, ai ∗ s + ei) recover s

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Ring-LWE

◮ Ring-LWE:

◮ secret element s ∈ R ◮ elements ai chosen randomly in R ◮ coefficients noise polynomial ei small independent normal

variables

◮ Search: given many tuples (ai, ai ∗ s + ei) recover s ◮ Decision: given many tuples (ai, bi) ∈ R2, decide whether

there exists an s ∈ R and small ei ∈ R such that bi = ai ∗ s + ei

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography

Quantum computers and factoring Learning with errors Cryptography from LWE

Conclusion

◮ LWE is building block for post-quantum cryptography ◮ Much more versatile than direct application of hard lattice

problems

◮ Downside LWE: public keys are much larger than

RSA/ECC

◮ Ring-LWE: more efficient but also more structure... ◮ Exact security level is still very much open . . .

• Dr. Ir. Fr´

e Vercauteren From linear algebra to post-quantum cryptography