Fundamentals of Lattice-Based Cryptography Chris Peikert - - PowerPoint PPT Presentation

Fundamentals of Lattice-Based Cryptography Chris Peikert

University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019

1 / 23

Talk Outline

1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3 Using rings for efficiency

2 / 23

Today’s Cryptography (e.g., RSA, Diffie-Hellman)

◮ Conjectured-hard problems: factor N = P · Q, compute discrete logs

3 / 23

Today’s Cryptography (e.g., RSA, Diffie-Hellman)

◮ Conjectured-hard problems: factor N = P · Q, compute discrete logs ◮ Shor’s quantum algorithm:

N = 21305750140972822779 67336009072353225107 58864221620325802176 55802658737520126407 22059995071405557278 967027854563351343547 P = 16062216870909044065 12585584569433331615 827658775597032991663 Q = 13264514053200565459 67263583507984286802 756201383768089567669 3 / 23

Today’s Cryptography (e.g., RSA, Diffie-Hellman)

◮ Conjectured-hard problems: factor N = P · Q, compute discrete logs ◮ Shor’s quantum algorithm:

N = 21305750140972822779 67336009072353225107 58864221620325802176 55802658737520126407 22059995071405557278 967027854563351343547 P = 16062216870909044065 12585584569433331615 827658775597032991663 Q = 13264514053200565459 67263583507984286802 756201383768089567669

g, y = gX ∈ G X

3 / 23

Lattice-Based Cryptography

N = p · q

y = g

x

m

• d

p

me mod N

e(ga, gb)

= ⇒

4 / 23

Lattice-Based Cryptography

= ⇒

(Images courtesy xkcd.org) 4 / 23

Lattice-Based Cryptography

= ⇒

Advantages

◮ Appears resistant to quantum attacks

(Images courtesy xkcd.org) 4 / 23

Lattice-Based Cryptography

= ⇒

Advantages

◮ Appears resistant to quantum attacks ◮ Simple description and implementation

(Images courtesy xkcd.org) 4 / 23

Lattice-Based Cryptography

= ⇒

Advantages

◮ Appears resistant to quantum attacks ◮ Simple description and implementation ◮ Efficient: linear, highly parallelizable

(Images courtesy xkcd.org) 4 / 23

Lattice-Based Cryptography

= ⇒

Advantages

◮ Appears resistant to quantum attacks ◮ Simple description and implementation ◮ Efficient: linear, highly parallelizable ◮ Security from worst-case assumptions [Ajtai96,. . . ]

(Images courtesy xkcd.org) 4 / 23

Part 1: Lattices and Hard Problems

5 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)

O 6 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”) ◮ Has a basis B = {b1, . . . , bk} of linearly independent vectors: L =

k

• i=1

(Z · bi)

Today, k = m always: “full rank.”

O b1 b2 6 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”) ◮ Has a basis B = {b1, . . . , bk} of linearly independent vectors: L =

k

• i=1

(Z · bi)

Today, k = m always: “full rank.”

O b1 b2 6 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”) ◮ Has a basis B = {b1, . . . , bk} of linearly independent vectors: L =

k

• i=1

(Z · bi)

Today, k = m always: “full rank.” (Other representations as well. . . )

O b1 b2 6 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”) ◮ Has a basis B = {b1, . . . , bk} of linearly independent vectors: L =

k

• i=1

(Z · bi)

Today, k = m always: “full rank.” (Other representations as well. . . )

O b1 b2

v

Conjectured Hard Problems

◮ Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ, SIVPγ

6 / 23

Lattices

◮ An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”) ◮ Has a basis B = {b1, . . . , bk} of linearly independent vectors: L =

k

• i=1

(Z · bi)

Today, k = m always: “full rank.” (Other representations as well. . . )

O b1 b2

v λ1

Conjectured Hard Problems

◮ Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ, SIVPγ ◮ Estimate geometric quantities of the lattice: minimum distance λ1, successive minima λi, covering radius µ, . . .

6 / 23

Complexity (for the Worst Case)

GapSVPγ

◮ Given (a basis of) an m-dim lattice L and some d > 0, distinguish λ1(L) ≤ d FROM λ1(L) > γ(m) · d

7 / 23

Complexity (for the Worst Case)

GapSVPγ

◮ Given (a basis of) an m-dim lattice L and some d > 0, distinguish λ1(L) ≤ d FROM λ1(L) > γ(m) · d ◮ Becomes easier for larger γ(m):

7 / 23

Complexity (for the Worst Case)

GapSVPγ

◮ Given (a basis of) an m-dim lattice L and some d > 0, distinguish λ1(L) ≤ d FROM λ1(L) > γ(m) · d ◮ Becomes easier for larger γ(m): γ = 2(log m)1−ǫ NP-hard∗

[Ajt98,. . . ]

√m ∈ coNP

[GG98,AR05]

m crypto

[Ajt96,. . . ]

2∼m ∈ P

[LLL82,Sch87]

7 / 23

Complexity (for the Worst Case)

GapSVPγ

◮ Given (a basis of) an m-dim lattice L and some d > 0, distinguish λ1(L) ≤ d FROM λ1(L) > γ(m) · d ◮ Becomes easier for larger γ(m): γ = 2(log m)1−ǫ NP-hard∗

[Ajt98,. . . ]

√m ∈ coNP

[GG98,AR05]

m crypto

[Ajt96,. . . ]

2∼m ∈ P

[LLL82,Sch87]

◮ For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]

7 / 23

Complexity (for the Worst Case)

GapSVPγ

◮ Given (a basis of) an m-dim lattice L and some d > 0, distinguish λ1(L) ≤ d FROM λ1(L) > γ(m) · d ◮ Becomes easier for larger γ(m): γ = 2(log m)1−ǫ NP-hard∗

[Ajt98,. . . ]

√m ∈ coNP

[GG98,AR05]

m crypto

[Ajt96,. . . ]

2∼m ∈ P

[LLL82,Sch87]

◮ For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ] ◮ Similar status for other problems like SIVPγ, . . .

7 / 23

Part 2: SIS/LWE and Basic Applications

8 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

  | a1 |     | a2 |   · · ·   | am |   ∈ Zn

q

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

◮ SIS: given many uniform ai, find nontrivial z1, . . . , zm ∈ {0, ±1} s.t. z1 ·   | a1 |   + z2 ·   | a2 |   + · · · + zm ·   | am |   =   | |   ∈ Zn

q

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

◮ SIS: given many uniform ai, find ‘short’ nonzero z s.t.  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

◮ SIS: given many uniform ai, find ‘short’ nonzero z s.t.  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Collision-Resistant Hash Function

◮ Define fA : {0, 1}m → Zn

q for any m > n lg q as

fA(x) = Ax.

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

◮ SIS: given many uniform ai, find ‘short’ nonzero z s.t.  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Collision-Resistant Hash Function

◮ Define fA : {0, 1}m → Zn

q for any m > n lg q as

fA(x) = Ax. ◮ Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .

9 / 23

A Hard Problem: Short Integer Solution

[Ajtai’96]

◮ Fix a dimension n and modulus q (e.g., q ≈ n2). Let Zn

q = n-dimensional integer vectors modulo q.

◮ SIS: given many uniform ai, find ‘short’ nonzero z s.t.  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Collision-Resistant Hash Function

◮ Define fA : {0, 1}m → Zn

q for any m > n lg q as

fA(x) = Ax. ◮ Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . . . . . yields a short (nonzero) solution z = x − x′ ∈ {0, ±1}m.

9 / 23

Cool!

(but what does this have to do with lattices?)

10 / 23

Cool!

◮ Matrix A = (a1, . . . , am) ∈ Zn×m

q

: L⊥(A) = {z ∈ Zm : Az = 0}

O 10 / 23

Cool!

◮ Matrix A = (a1, . . . , am) ∈ Zn×m

q

: L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0) 10 / 23

Cool!

◮ Matrix A = (a1, . . . , am) ∈ Zn×m

q

: L⊥(A) = {z ∈ Zm : Az = 0} ◮ ‘Short’ solutions z lie in

O (0, q) (q, 0) 10 / 23

Cool!

◮ Matrix A = (a1, . . . , am) ∈ Zn×m

q

: L⊥(A) = {z ∈ Zm : Az = 0} ◮ ‘Short’ solutions z lie in

O (0, q) (q, 0)

Worst-Case/Average-Case Connection [Ajtai96,. . . ]

Finding ‘short’ (z ≤ β ≪ q) nonzero z ∈ L⊥(A)

(for uniformly random A ∈ Zn×m

q

) ⇓ solving GapSVPβ√n and SIVPβ√n on any n-dim lattice

10 / 23

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

◮ Generate uniform vk = A with ‘trapdoor’ sk = T.

[Ajtai’99,. . . ,MP’12]

11 / 23

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

◮ Generate uniform vk = A with ‘trapdoor’ sk = T.

[Ajtai’99,. . . ,MP’12]

◮ Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Zn

q .

11 / 23

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

◮ Generate uniform vk = A with ‘trapdoor’ sk = T.

[Ajtai’99,. . . ,MP’12]

◮ Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Zn

q .

Draw x from a (Gaussian) distribution, which reveals nothing about T:

11 / 23

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

◮ Generate uniform vk = A with ‘trapdoor’ sk = T.

[Ajtai’99,. . . ,MP’12]

◮ Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Zn

q .

Draw x from a (Gaussian) distribution, which reveals nothing about T: ◮ Verify(A, µ, x): check that Ax = H(µ) and x is sufficiently short.

11 / 23

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

◮ Generate uniform vk = A with ‘trapdoor’ sk = T.

[Ajtai’99,. . . ,MP’12]

◮ Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Zn

q .

Draw x from a (Gaussian) distribution, which reveals nothing about T: ◮ Verify(A, µ, x): check that Ax = H(µ) and x is sufficiently short. ◮ Security: forging a signature for a new message µ∗ requires finding a short x∗ s.t. Ax∗ = H(µ∗). This is SIS!

11 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T! 12 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T!

◮ “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]

coset L⊥

u (A) t1 t2 O 12 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T!

◮ “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]

coset L⊥

u (A) t1 t2 O 12 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T!

◮ “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]

coset L⊥

u (A) t1 t2 O 12 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T!

◮ “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]

coset L⊥

u (A) t1 t2 O x 12 / 23

Gaussian Sampling over a (Shifted) Lattice

◮ Sample x s.t. Ax = u given any ‘short’ basis T: maxti ≤ std dev

⋆ Output distribution leaks no information about secret basis T!

◮ “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]

coset L⊥

u (A) t1 t2 O x

◮ Proof idea: DL⊥

u (plane) depends (essentially) only on dist(O, plane);

not affected by shift within plane. So rounding with that probability produces that distribution.

12 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

a1 ← Zn

q

, b1 ≈ s , a1 mod q a2 ← Zn

q

, b2 ≈ s , a2 mod q . . .

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

a1 ← Zn

q

, b1 = s , a1 + e1 ∈ Zq a2 ← Zn

q

, b2 = s , a2 + e2 ∈ Zq . . .

√n ≤ std dev ≪ q, ‘rate’ α

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

 · · · A · · ·   ,

• · · ·

bt · · ·

• ≈ stA

√n ≤ std dev ≪ q, ‘rate’ α

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

 · · · A · · ·   ,

• · · ·

bt · · ·

• ≈ stA

√n ≤ std dev ≪ q, ‘rate’ α

◮ Decision: distinguish (A , b) from uniform (A , b)

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

 · · · A · · ·   ,

• · · ·

bt · · ·

• ≈ stA

√n ≤ std dev ≪ q, ‘rate’ α

◮ Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard

(n/α)-approx worst case GapSVP, SIVP ≤

(quantum [R’05])

search-LWE ≤

[BFKL’93,R’05,. . . ]

decision-LWE ≤ crypto

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

 · · · A · · ·   ,

• · · ·

bt · · ·

• ≈ stA

√n ≤ std dev ≪ q, ‘rate’ α

◮ Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard

(n/α)-approx worst case GapSVP, SIVP ≤

(quantum [R’05])

search-LWE ≤

[BFKL’93,R’05,. . . ]

decision-LWE ≤ crypto ◮ Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

13 / 23

Another Hard Problem: Learning With Errors

[Regev’05]

◮ Parameters: dimension n, modulus q = poly(n), error distribution χ ◮ Search: find secret s ∈ Zn

q given many ‘noisy inner products’

 · · · A · · ·   ,

• · · ·

bt · · ·

• ≈ stA

√n ≤ std dev ≪ q, ‘rate’ α

◮ Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard

(n/α)-approx worst case GapSVP, SIVP ≤

(quantum [R’05])

search-LWE ≤

[BFKL’93,R’05,. . . ]

decision-LWE ≤ crypto ◮ Also fully classical reductions, for worse params [Peikert’09,BLPRS’13] ◮ Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]

13 / 23

LWE is Versatile

What kinds of crypto can we construct from LWE?

14 / 23

LWE is Versatile

What kinds of crypto can we construct from LWE? ✔ Key Exchange/Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ (Constrained) PRFs

14 / 23

LWE is Versatile

What kinds of crypto can we construct from LWE? ✔ Key Exchange/Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ (Constrained) PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) ✔✔ NIZK for NP (w/o RO)

14 / 23

LWE is Versatile

What kinds of crypto can we construct from LWE? ✔ Key Exchange/Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ (Constrained) PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) ✔✔ NIZK for NP (w/o RO) !!! Fully Homomorphic Encryption !!! Attribute-Based/Predicate Encryption for arbitrary policies and much, much more. . .

14 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

u = Ax

(public key, uniform when m > n log q) 15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m > n log q)

bt = stA + et

(ciphertext ‘preamble’) 15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m > n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ = st u + e′ + bit · q

2

(‘payload’) 15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m > n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’) 15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m > n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

(A, u), (b, b′)

15 / 23

Public-Key Cryptosystem from LWE

[Regev’05,GPV’08]

short x A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m > n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

(A, u), (b, b′)

by LWE

15 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk)

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk)

sk

A l i c e

skBobbi sk

C a r

• l

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk) Enc(mpk, “Alice”, msg)

sk

A l i c e

skBobbi sk

C a r

• l

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk) ?? ?? Enc(mpk, “Alice”, msg)

sk

A l i c e

skBobbi sk

C a r

• l

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk) ?? ?? Enc(mpk, “Alice”, msg)

sk

A l i c e

skBobbi sk

C a r

• l

1 [BonehFranklin’01,. . . ]: first IBE, based on pairings

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk) ?? ?? Enc(mpk, “Alice”, msg)

sk

A l i c e

skBobbi sk

C a r

• l

1 [BonehFranklin’01,. . . ]: first IBE, based on pairings 2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq

16 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]: could this exist? mpk (msk) ?? ?? Enc(mpk, “Alice”, msg)

sk

A l i c e

skBobbi sk

C a r

• l

1 [BonehFranklin’01,. . . ]: first IBE, based on pairings 2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq 3 [GPV’08]: based on lattices!

16 / 23

IBE from LWE

mpk = A msk = trapdoor T u = H(“Alice”)

(‘identity’ public key)

b = stA + et

(ciphertext preamble)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

Gaussian x s.t. Ax = u

17 / 23

Part 3: Rings for Better Efficiency

18 / 23

SIS/LWE are (Sort Of) Efficient

• · · · ai · · ·
• 

   . . . s . . .     + ei = bi ∈ Zq ◮ Getting one pseudorandom scalar bi ∈ Zq requires an n-dim inner product (mod q)

19 / 23

SIS/LWE are (Sort Of) Efficient

• · · · ai · · ·
• 

   . . . s . . .     + ei = bi ∈ Zq ◮ Getting one pseudorandom scalar bi ∈ Zq requires an n-dim inner product (mod q) ◮ Can amortize each ai over many secrets sj, but still ˜ O(n) work per scalar output.

19 / 23

SIS/LWE are (Sort Of) Efficient

• · · · ai · · ·
• 

   . . . s . . .     + ei = bi ∈ Zq ◮ Getting one pseudorandom scalar bi ∈ Zq requires an n-dim inner product (mod q) ◮ Can amortize each ai over many secrets sj, but still ˜ O(n) work per scalar output. ◮ Cryptosystems have rather large keys: pk =     . . . At . . .    

• n

,     . . . b . . .            Ω(n)

19 / 23

SIS/LWE are (Sort Of) Efficient

• · · · ai · · ·
• 

   . . . s . . .     + ei = bi ∈ Zq ◮ Getting one pseudorandom scalar bi ∈ Zq requires an n-dim inner product (mod q) ◮ Can amortize each ai over many secrets sj, but still ˜ O(n) work per scalar output. ◮ Cryptosystems have rather large keys: pk =     . . . At . . .    

• n

,     . . . b . . .            Ω(n) ◮ Inherently ≥ n2 time to encrypt & decrypt a message.

19 / 23

Wishful Thinking. . .

    . . . ai . . .    ⋆     . . . s . . .    +     . . . ei . . .     =     . . . bi . . .     ∈ Zn

q

◮ Get n pseudorandom scalars from just one (cheap) product operation? ◮ Replace n × n blocks by n-dimensional vectors.

20 / 23

Wishful Thinking. . .

    . . . ai . . .    ⋆     . . . s . . .    +     . . . ei . . .     =     . . . bi . . .     ∈ Zn

q

◮ Get n pseudorandom scalars from just one (cheap) product operation? ◮ Replace n × n blocks by n-dimensional vectors.

Question

◮ How to define the product ‘⋆’ so that (ai, bi) is pseudorandom?

20 / 23

Wishful Thinking. . .

    . . . ai . . .    ⋆     . . . s . . .    +     . . . ei . . .     =     . . . bi . . .     ∈ Zn

q

◮ Get n pseudorandom scalars from just one (cheap) product operation? ◮ Replace n × n blocks by n-dimensional vectors.

Question

◮ How to define the product ‘⋆’ so that (ai, bi) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure!

20 / 23

Wishful Thinking. . .

    . . . ai . . .    ⋆     . . . s . . .    +     . . . ei . . .     =     . . . bi . . .     ∈ Zn

q

◮ Get n pseudorandom scalars from just one (cheap) product operation? ◮ Replace n × n blocks by n-dimensional vectors.

Question

◮ How to define the product ‘⋆’ so that (ai, bi) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure!

Answer

◮ ‘⋆’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1). Fast and practical with FFT: n log n operations mod q.

20 / 23

Wishful Thinking. . .

    . . . ai . . .    ⋆     . . . s . . .    +     . . . ei . . .     =     . . . bi . . .     ∈ Zn

q

◮ Get n pseudorandom scalars from just one (cheap) product operation? ◮ Replace n × n blocks by n-dimensional vectors.

Question

◮ How to define the product ‘⋆’ so that (ai, bi) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure!

Answer

◮ ‘⋆’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1). Fast and practical with FFT: n log n operations mod q. ◮ Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

20 / 23

LWE Over Rings, Over Simplified

◮ Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR

21 / 23

LWE Over Rings, Over Simplified

◮ Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR

⋆ Elements of Rq are deg < n polynomials with mod-q coefficients ⋆ Operations in Rq are very efficient using FFT-like algorithms 21 / 23

LWE Over Rings, Over Simplified

◮ Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR

⋆ Elements of Rq are deg < n polynomials with mod-q coefficients ⋆ Operations in Rq are very efficient using FFT-like algorithms

◮ Search: find secret ring element s ∈ Rq, given: a1 ← Rq , b1 = s · a1 + e1 ∈ Rq a2 ← Rq , b2 = s · a2 + e2 ∈ Rq a3 ← Rq , b3 = s · a3 + e3 ∈ Rq . . . (ei ∈ R are ‘small’)

21 / 23

LWE Over Rings, Over Simplified

◮ Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR

⋆ Elements of Rq are deg < n polynomials with mod-q coefficients ⋆ Operations in Rq are very efficient using FFT-like algorithms

◮ Search: find secret ring element s ∈ Rq, given: a1 ← Rq , b1 = s · a1 + e1 ∈ Rq a2 ← Rq , b2 = s · a2 + e2 ∈ Rq a3 ← Rq , b3 = s · a3 + e3 ∈ Rq . . . (ei ∈ R are ‘small’) ◮ Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq × Rq

21 / 23

Hardness of Ring-LWE

Initial Reductions [LyubashevskyPeikertRegev’10]

worst-case approx-SVP

• n ideal lattices in R

≤

(quantum, any R = OK)

search R-LWE ≤

(classical, any cyclotomic R)

decision R-LWE

22 / 23

Hardness of Ring-LWE

Initial Reductions [LyubashevskyPeikertRegev’10]

worst-case approx-SVP

• n ideal lattices in R

≤

(quantum, any R = OK)

search R-LWE ≤

(classical, any cyclotomic R)

decision R-LWE

Newer Reduction [PeikertRegevStephens-Davidowitz’17]

worst-case approx-SVP

• n ideal lattices in R

≤

(quantum, any R = OK)

decision R-LWE

22 / 23

Hardness of Ring-LWE

Initial Reductions [LyubashevskyPeikertRegev’10]

worst-case approx-SVP

• n ideal lattices in R

≤

(quantum, any R = OK)

search R-LWE ≤

(classical, any cyclotomic R)

decision R-LWE

Newer Reduction [PeikertRegevStephens-Davidowitz’17]

worst-case approx-SVP

• n ideal lattices in R

≤

(quantum, any R = OK)

decision R-LWE

Constructions

decision R-LWE ≤ much crypto

22 / 23

Final Thoughts

◮ Lattices are a very attractive foundation for post-quantum crypto, for both ‘basic’ and ‘advanced’ objects. See remaining talks for much more.

23 / 23

Final Thoughts

◮ Lattices are a very attractive foundation for post-quantum crypto, for both ‘basic’ and ‘advanced’ objects. See remaining talks for much more. ◮ Cryptanalysis/concrete security estimates are subtle and ongoing, but maturing. See Phong Nguyen’s talks tomorrow for coverage of this topic.

23 / 23

Final Thoughts

◮ Lattices are a very attractive foundation for post-quantum crypto, for both ‘basic’ and ‘advanced’ objects. See remaining talks for much more. ◮ Cryptanalysis/concrete security estimates are subtle and ongoing, but maturing. See Phong Nguyen’s talks tomorrow for coverage of this topic.

Thanks!

23 / 23