How to Use a Short Basis: Trapdoors for Hard Lattices and New - - PowerPoint PPT Presentation

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions

Chris Peikert SRI

Work with Craig Gentry and Vinod Vaikuntanathan

1 / 14

Digital Signatures

2 / 14

Digital Signatures

(secret) (public)

2 / 14

Digital Signatures

(secret) (public) “I love you” ✔

2 / 14

Digital Signatures

(secret) (public) “It’s over” ✗

2 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1

3 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1 Dom Dom x y f

3 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1 Dom Dom x y

3 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1 Dom Dom x y f −1

3 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1 Dom Dom x y f −1 ◮ Candidates: [RSA78,Rabin79,Paillier99]

✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . .

3 / 14

Trapdoor Permutations

[DiffieHellman76]

◮ Public function f, secret “trapdoor” f −1 Dom Dom x y f −1 ◮ Candidates: [RSA78,Rabin79,Paillier99]

✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . .

◮ All rely on hardness of factoring

✗ Complex: 2048-bit exponentiation ✗ Lack of diversity ✗ Broken by quantum algorithms [Shor]

3 / 14

Lattice-Based Cryptography

What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ]

4 / 14

Lattice-Based Cryptography

What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known

1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ]

4 / 14

Lattice-Based Cryptography

What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known

1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ]

What’s Missing ◮ Everything else! Practical signatures, protocols, “advanced” crypto, . . .

4 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

• Generate (x, y) in two equivalent ways:

D x y

f

R y x

f −1

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

• Generate (x, y) in two equivalent ways:

D x y

f

R y x

f −1

• “As good as” trapdoor permutations in many applications

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

• Generate (x, y) in two equivalent ways:

D x y

f

R y x

f −1

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

• Generate (x, y) in two equivalent ways:

D x y

f

R y x

f −1

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV], . . .

5 / 14

Results: New Lattice-Based Crypto

1 Preimage sampleable trapdoor functions

D R x y f −1

• Generate (x, y) in two equivalent ways:

D x y

f

R y x

f −1

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV], . . .

New Algorithmic Tool ◮ “Oblivious decoder” on lattices

5 / 14

Lattices

A lattice L ⊂ Rn having basis B = {b1, . . . , bn} is: L =

n

• i=1

(Z · bi)

O b1 b2 6 / 14

Lattices

A lattice L ⊂ Rn having basis B = {b1, . . . , bn} is: L =

n

• i=1

(Z · bi)

O b1 b2 6 / 14

Lattices

A lattice L ⊂ Rn having basis B = {b1, . . . , bn} is: L =

n

• i=1

(Z · bi)

O b1 b2

Shortest Vector Problem (SVPγ) ◮ Given B, find (nonzero) v ∈ L within γ factor of shortest.

6 / 14

Lattices

A lattice L ⊂ Rn having basis B = {b1, . . . , bn} is: L =

n

• i=1

(Z · bi)

O t β b1 b2

Shortest Vector Problem (SVPγ) ◮ Given B, find (nonzero) v ∈ L within γ factor of shortest. Absolute Distance Decoding (ADDβ) ◮ Given B and target t ∈ Rn, find some v ∈ L within distance β.

6 / 14

Complexity of Lattice Problems

SVPγ in the Worst Case γ = O(1) NP-hard

[Ajt,Mic,Kho]

poly(n) 2n time

[AKS]

2n poly(n) time

[LLL,Sch]

7 / 14

Complexity of Lattice Problems

SVPγ in the Worst Case γ = O(1) NP-hard

[Ajt,Mic,Kho]

poly(n) 2n time

[AKS]

2n poly(n) time

[LLL,Sch]

Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04]: SVPγ random lattice as hard as SVPγ·n every lattice

7 / 14

Complexity of Lattice Problems

SVPγ in the Worst Case γ = O(1) NP-hard

[Ajt,Mic,Kho]

poly(n) 2n time

[AKS]

2n poly(n) time

[LLL,Sch]

Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04]: ADDβ random lattice as hard as SVPβ·n every lattice ◮ Decoding hard on average, too

7 / 14

Complexity of Lattice Problems

SVPγ in the Worst Case γ = O(1) NP-hard

[Ajt,Mic,Kho]

poly(n) 2n time

[AKS]

2n poly(n) time

[LLL,Sch]

Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04]: ADDβ random lattice as hard as SVPβ·n every lattice ◮ Decoding hard on average, too Bottom Line ◮ On random lattices, SVPγ and ADDβ seem exponentially hard

7 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S

s1 s2 b1 b2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

s1 s2 8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai]

8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues

1 Generating short & hard bases together

• Ad-hoc, no worst-case hardness

8 / 14

GGH Signatures

[GoldreichGoldwasserHalevi96]

◮ “Hard” (public) verification basis B, short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues

1 Generating short & hard bases together

• Ad-hoc, no worst-case hardness

2 Secret key leakage

• Total break after several signatures [NguyenRegev]

8 / 14

Gaussians and Lattices

9 / 14

Gaussians and Lattices

9 / 14

Gaussians and Lattices

9 / 14

Gaussians and Lattices

“Uniform” in Rn when std dev ≥ shortest basis

[Regev,MicciancioRegev]

9 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

b1 b2 s1 s2 10 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

◮ Input v ∈ L, error e

10 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

◮ Input v ∈ L, error e

10 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

◮ Input v ∈ L, error e ◮ Uniform output t

t 10 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

◮ Input v ∈ L, error e ◮ Uniform output t

t 10 / 14

Our Trapdoor Function

◮ “Hard” public basis B, short secret basis S

[Ajtai99,AP08]

◮ Input v ∈ L, error e ◮ Uniform output t

t

◮ Conditional distribution is “discrete Gaussian” DL,t Analysis tool in

[Ban,AR,Reg,MR,Pei,. . . ]

10 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2 11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2 11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2 11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2 11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2

[Klein]: std dev ≤ min ˜

si ⇒ solves CVP variant

11 / 14

Inverting: Gaussian Sampler / Decoder

◮ Given basis S, samples DL,t for any std dev ≥ maxsi

• Leaks nothing about S!

◮ Randomized nearest-plane [Babai,Klein]

t s1 s2

[Klein]: std dev ≤ min ˜

si ⇒ solves CVP variant

[This work]: std dev ≥ max˜

si ⇒ samples DL,t exactly∗

11 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings ◮ [Cocks01]: quadratic residuosity (mod N = pq)

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings ◮ [Cocks01]: quadratic residuosity (mod N = pq) Lattice-based QR-based [Cocks,BGH] mpk random lattice random N = p · q

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings ◮ [Cocks01]: quadratic residuosity (mod N = pq) Lattice-based QR-based [Cocks,BGH] mpk random lattice random N = p · q msk trapdoor basis trapdoor p, q

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings ◮ [Cocks01]: quadratic residuosity (mod N = pq) Lattice-based QR-based [Cocks,BGH] mpk random lattice random N = p · q msk trapdoor basis trapdoor p, q Hash(ID) uniform y ∈ Rn uniform y ∈ QRN

12 / 14

Identity-Based Encryption

◮ Proposed by [Shamir84]:

• Master keys mpk, msk
• With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .

◮ [BonehFranklin01]: bilinear pairings ◮ [Cocks01]: quadratic residuosity (mod N = pq) Lattice-based QR-based [Cocks,BGH] mpk random lattice random N = p · q msk trapdoor basis trapdoor p, q Hash(ID) uniform y ∈ Rn uniform y ∈ QRN skID random ∈ f −1(y) random √y

12 / 14

Cryptosystem with Master Trapdoor

Primal L Dual L∗

sk pk 13 / 14

Cryptosystem with Master Trapdoor

Primal L Dual L∗

sk pk v

◮ For v ∈ L∗: v, pk = v, sk mod 1

13 / 14

Cryptosystem with Master Trapdoor

Primal L Dual L∗

sk pk v w

◮ For v ∈ L∗: v, pk = v, sk mod 1 ◮ For w ≈ v: v, pk ≈ w, sk mod 1 “quasi”-agreement

13 / 14

Cryptosystem with Master Trapdoor

Primal L Dual L∗

sk pk v w

◮ For v ∈ L∗: v, pk = v, sk mod 1 ◮ For w ≈ v: v, pk ≈ w, sk mod 1 “quasi”-agreement ◮ Security: decoding w, a.k.a. “learning with errors”

• Quantum worst-case connection [Regev]
• Now: classical worst-case hardness [P]

13 / 14

Open Problems

1 Tighter sampling for random lattices ?

14 / 14

Open Problems

1 Tighter sampling for random lattices ? 2 Practical “plain model” signatures ?

14 / 14

Open Problems

1 Tighter sampling for random lattices ? 2 Practical “plain model” signatures ? 3 Relate factoring to lattice problems ?

14 / 14

Open Problems

1 Tighter sampling for random lattices ? 2 Practical “plain model” signatures ? 3 Relate factoring to lattice problems ? 4 “Essence” of quantum-immune crypto ?

14 / 14

Open Problems

1 Tighter sampling for random lattices ? 2 Practical “plain model” signatures ? 3 Relate factoring to lattice problems ? 4 “Essence” of quantum-immune crypto ?

Thanks!

(Artwork courtesy of xkcd.org) 14 / 14