Introduction to Lattice Based Cryptography Eduardo Morais advisor: - - PowerPoint PPT Presentation

Introduction to Lattice Based Cryptography

Eduardo Morais advisor: Ricardo Dahab

Unicamp

ASCrypto 2013 October 18, 2013

Agenda

◮ Introduction

◮ Definitions ◮ Dual Lattices ◮ q-ary Lattices ◮ Hard Problems

◮ Schemes

◮ Goldreich, Goldwasser and Halevi (GGH) ◮ Ajtai’s construction ◮ Learning With Errors (LWE), Ring LWE, NTRU-like ◮ Functional Encryption, Identity Based Encryption, Attribute

Based Encryption, Fully Homomorphic Encryption

Lattices

b1 b2

Lattices

b1 b2 L(b1, b2) = { xibi : xi ∈ Z}

Lattices

b1 b2 Fundamental Domain { tibi, 0 ≤ ti < 1}

Lattices

b1 b2 Centered Fundamental Domain { tibi, −1

2 ≤ ti < 1 2}

Lattices

b1 b2 t t′ Reduction: t′ ≡ t (mod LB)

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• x1 = 3, x2 = 2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• x1 = 1, x2 = −1

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• x1 = 0, x2 = 0

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• 

  b1,1 . . . bn,1 . . . ... . . . b1,n . . . bn,n       x1 . . . xn   

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• Bx

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• Volume of the

Domain?

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge:

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 d = |(9, 1) − (1, 9)|

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 d = |(9, 1) − (1, 9)| d =

• 82 + (−8)2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 d = |(9, 1) − (1, 9)| d =

• 82 + (−8)2

d = 8 √ 2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 D = |(9, 1) + (1, 9)|

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 D = |(9, 1) + (1, 9)| D =

• 102 + (−10)2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 D = |(9, 1) + (1, 9)| D =

• 102 + (−10)2

D = 10 √ 2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 D = |(9, 1) + (1, 9)| D =

• 102 + (−10)2

D = 10 √ 2 A = (10 √ 2)(8 √ 2)/2

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) Area of lozenge A = D.d/2 D = |(9, 1) + (1, 9)| D =

• 102 + (−10)2

D = 10 √ 2 A = (10 √ 2)(8 √ 2)/2 A = 10.8 = 80

Lattices

(9, 1) (1, 9) L : 9 1 1 9 x1 x2

• (9, 1)

(1, 9) det B = 9.9 − 1.1 det B = 81 − 1 det B = 80 Volume: det B

Orthogonality

||bi|| ≈ 9.05 A = 80 A/||bi||2 = 0.97 ||bi|| ≈ 9.05 A = 81.9 A/||bi||2 = 1

Orthogonality

||bi|| ≈ 21.47 A = 80 A/||bi||2 = 0.17 ||bi|| ≈ 9.05 A = 20.46 A/||bi||2 = 0.125

Orthogonality

||bi|| ≈ 28.32 A = 80 A/||bi||2 = 0.10 ||bi|| ≈ 9.05 A = 11.52 A/||bi||2 = 0.14

Orthogonality

||bi|| ≈ 28.32 A = 80 A/||bi||2 = 0.10 ||bi|| ≈ 9.05 A = 11.52 A/||bi||2 = 0.14

det L Q

1≤i≤n ||bi||

Orthogonality

||bi|| ≈ 28.32 A = 80 A/||bi||2 = 0.10 ||bi|| ≈ 9.05 A = 11.52 A/||bi||2 = 0.14

det L Q

1≤i≤n ||bi||

1/n Hadamard Ratio

Dual Lattices

b1 b2 L∗ = {y | x, y ∈ Z, ∀x ∈ L}

Dual Lattices

b1 b2 L∗ = {y | x, y ∈ Z, ∀x ∈ L} b∗

1, b1 = 0

b∗

1, b2 = 1

Dual Lattices

b1 b2 L∗ = {y | x, y ∈ Z, ∀x ∈ L} b∗

1, b1 = 0

b∗

1, b2 = 1

b∗

2, b2 = 0

b∗

2, b1 = 1

Dual Lattices

b1 b2 L∗ = {y | x, y ∈ Z, ∀x ∈ L} b∗

1, b1 = 0

b∗

1, b2 = 1

b∗

2, b2 = 0

b∗

2, b1 = 1

b∗

2

b∗

1

Dual Lattices

b2 = (0, 3) b1 = (1, 2)

Dual Lattices

b2 = (0, 3) b1 = (1, 2) (x1, y1), (0, 3) = 0 (x1, y1), (1, 2) = 1

Dual Lattices

b2 = (0, 3) b1 = (1, 2) (x1, y1), (0, 3) = 0 (x1, y1), (1, 2) = 1 (x1 = 1, y1 = 0)

Dual Lattices

b2 = (0, 3) b1 = (1, 2) (x1, y1), (0, 3) = 0 (x1, y1), (1, 2) = 1 (x1 = 1, y1 = 0) (x2, y2), (1, 2) = 0 (x2, y2), (0, 3) = 1

Dual Lattices

b2 = (0, 3) b1 = (1, 2) (x1, y1), (0, 3) = 0 (x1, y1), (1, 2) = 1 (x1 = 1, y1 = 0) (x2, y2), (1, 2) = 0 (x2, y2), (0, 3) = 1 (x2 = −2/3, y2 = 1/3)

Dual Lattices

b2 = (0, 3) b1 = (1, 2) (x1, y1), (0, 3) = 0 (x1, y1), (1, 2) = 1 (x1 = 1, y1 = 0) (x2, y2), (1, 2) = 0 (x2, y2), (0, 3) = 1 (x2 = −2/3, y2 = 1/3)

Dual Lattices

b2 = (0, 3) b1 = (1, 2)

Dual Lattices

b2 = (0, 3) b1 = (1, 2) Volume:

• 1

3 2

• = −3
• 1

−2/3 1/3

• = 1/3

Dual Lattices

b2 = (0, 3) b1 = (1, 2) Volume:

• 1

3 2

• = −3
• 1

−2/3 1/3

• = 1/3

L(B)∗ = L((B−1)T)

Dual Lattices

b2 = (0, 3) b1 = (1, 2) B−1 = 1/3

• 2

−1 −3

• (B−1)T =

−2/3 1 1/3

Dual Lattices

b2 = (0, 3) b1 = (1, 2) B−1 = 1/3

• 2

−1 −3

• (B−1)T =

1 −2/3 1/3

q-ary Lattices

(0, 0) (1, 3) (3, 2) (5, 1) (7, 0) (0, 7) (2, 6) (4, 5) (6, 4) (7, 7) b2 b1 Λq(A) = {y = As (mod q)} Λ⊥

q (A) = {y | Ay = 0 (mod q)}

Λ⊥

q (A) = qΛq(A)∗

Λq(A) = qΛ⊥

q (A)∗

Successive Minima

b2 b1 λ1 λ2 λi: min r s.t. Br has i lin. ind. vectors

Gram-Schmidt Orthogonalization Process

b2 b1 ˜ b2 ˜ B =       1 ... µ2,1 1 ... . . . . . . ... ... µn,1 ... µn,n−1 1       .B µi,j = bi,˜

bj ||˜ bj||2

Minkowski’s Theorem

◮ Pigeonhole principle for lattices ◮ A symmetric and convex region with volume 2n det (B)1/n

has at least 2 non-zero vectors

◮ Hermite upper bound: λ1 ≤ √n det (B)1/n ◮ Gaussian heuristics: λ1 ≤

• 2n

πe det (B)1/n ◮ Lower bound: λ1 ≥ mini ||˜

bi||

Shortest Vector Problem (and Gap-SVP)

b2 b1 λ1 γλ1 Search:(v = 0) ||v|| ≤ γλ1 Decision: given d λ1 ≤ γd?

GapSVP Complexity

| | | | NP hard NP ∩ coNP crypto P (LLL) 2(log n)1−ǫ γ : √n n 2n

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b1 b2 ˜ b2

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b1 b2 ˜ b2

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b2 b1 ˜ b2

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b2 b1 ˜ b2

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b2 b1 ˜ b2

LLL

||˜ bi+1||2 ≥ 1/2||˜ bi||2 ||b1|| ≤ 2(n−1)/2λ1(L) b2 = b2 − c.b1 if ||b2||2 < 3/4||b1||2, swap and loop b2 b1

Shortest Independent Vectors Problem

b2 b1 λ1 λ2 γλ2 Search: (v1, v2)

• lin. ind.

||v2|| ≤ γλ2

Bounded Distance Decode

b2 b1 t Search: given d < λ1/2 Closest Vector Problem (CVP) Similar to the given t ∈ Bd(L) find v v

Bounded Distance Decode

b2 b1 t + L Decision: given d given coset t + L decide if there is v s. t. ||t − v|| ≤ γd

Babai’s Roundoff Algorithm

b2 b1 b⊥

2

b⊥

1

t Compute x ≡ t (mod B) Bd ⊂ PB d = mini(b⊥

i )

(linear system)

Babai’s Nearest Plane Algorithm

b2 b1 ˜ b2 t Compute x ≡ t (mod ˜ B) (iteratively) Bd ⊂ P˜

B

d = mini(˜ bi)

Babai’s Nearest Plane Algorithm

−4 −2 2 4 −5 5 −5 5 b2 b1 b3 t ˜ b3 t′ s′ x y z

Babai’s Nearest Plane Algorithm

−4 −2 2 4 −5 5 −5 5 b2 b1 s′ ˜ b2 x y z

Part II - Crypto

Goldreich, Goldwasser and Halevi (GGH)

b2 b1 v2 v1 c v r No security proof Trapdoor: orthogonality Good base: V = (v1, v2) Bad base: B = (b1, b2) Encrypt r: c = v + r (mod B) Decrypt: r = c − v

Ajtai’s Construction

(0, 0) (1, 3) (3, 2) (5, 1) (7, 0) (0, 7) (2, 6) (4, 5) (6, 4) (7, 7) b2 b1 fA(x) = Ax surjective small x (SIS problem) collision: x, x′ short vector: (x − x′) in Λ⊥

q

worst to average quantum reduction

Learning With Errors

Search problem: Given bi = ai, s + ei Find s Decision problem: Distinguish (ai, bi) from uniform Search to decision reduction

Learning With Errors

(0, 0) (1, 3) (3, 2) (5, 1) (7, 0) (0, 7) (2, 6) (4, 5) (6, 4) (7, 7) b2 b1 gA(x) = Ax + e injective

Learning With Errors

(0, 0) (1, 3) (3, 2) (5, 1) (7, 0) (0, 7) (2, 6) (4, 5) (6, 4) (7, 7) b2 b1 gA(x) = Ax + e injective worst to average quantum reduction

LWE Based Cryptosystem

Alice s Bob b = As + e

LWE Based Cryptosystem

Alice s Bob b = As + e (c1, c2) = (Ax, bx + mq/2)

LWE Based Cryptosystem

Alice s Bob b = As + e (c1, c2) = (Ax, bx + mq/2) m.q/2 = c2 − c1s

Cyclotomic Rings

(0, 0) (5, 0) (0, 5) (5, 5) (3, 3) Φ2n(x) = (x2n−1 + 1) if ζ2n ∈ Zq then Φ2n ≡

i∈Z∗

2n(x − ζi

2n)

Ring: Z5[x]/(x2 + 1) x2 + 1 ≡ (x + 2)(x + 3) a(x) = 3x + 3

Coefficient Representation

(0, 0) (5, 0) (0, 5) (5, 5) Ring: Z5[x]/(x2 + 1) x2 + 1 ≡ (x + 2)(x + 3) ≡ (x − 3)(x − 2) a(x) = 3x + 3 2(3x + 3) ≡ x + 1 (3, 3) (1, 1)

• 3

3 T ,

• 1

1 T

Evaluation Representation

(0, 0) (5, 0) (0, 5) (5, 5) Ring: Z5[x]/(x2 + 1) x2 + 1 ≡ (x + 2)(x + 3) a(x) = 3x + 3 2a(x) ≡ x + 1 (4, 2) (3, 4) a(2) ≡ 4, a(3) ≡ 2

• 4

2 T ,

• 3

4 T FFT

Cyclotomic Rings

(3, 3) (4, 2) (3, 4) (1, 1) FFT FFT−1 1 2 1 3

• Vandermond

3 3

• =

4 2

• 3

−2 −1 1

• Vandermond inverse

3 4

• =

1 1

Ring LWE

(0, 0) (1, 3) (2, 1) (4, 2) (3, 4) (5, 0) (0, 5) (5, 5) b2 b1 gA(x) = Ax + e A = 2 1 1 3

• ideal: p(x) = x + 2

xp(x) (−1, 2)

Ring LWE

◮ Better reductions, better parameters

Ring LWE

◮ Better reductions, better parameters

◮ Encryption, decryption, keygen: ˜

O(n)

Ring LWE

◮ Better reductions, better parameters

◮ Encryption, decryption, keygen: ˜

O(n)

◮ Preimage sampleable trapdoors

Ring LWE

◮ Better reductions, better parameters

◮ Encryption, decryption, keygen: ˜

O(n)

◮ Preimage sampleable trapdoors

◮ Digital Signatures

Ring LWE

◮ Better reductions, better parameters

◮ Encryption, decryption, keygen: ˜

O(n)

◮ Preimage sampleable trapdoors

◮ Digital Signatures

◮ Cryptomania: IBE, ABE, FE, FHE

NTRU-like Cryptosystem [13]

Alice f, g Bob A ≡ f/g (mod q)

NTRU-like Cryptosystem [13]

Alice f, g Bob A ≡ f/g (mod q) c ≡ 2(Ax + e) + m

NTRU-like Cryptosystem [13]

Alice f, g Bob A ≡ f/g (mod q) c ≡ 2(Ax + e) + m cg ≡ 2(fx + eg) + mg m ≡ (cg (mod 2))/g

Dual LWE

Alice e Bob u ≡ fA(e)

Dual LWE

Alice e Bob u ≡ fA(e) c1 = gA(s, x) c2 = uTs + e′ + b.⌊q/2⌋

Dual LWE

Alice e Bob u ≡ fA(e) c1 = gA(s, x) c2 = uTs + e′ + b.⌊q/2⌋ b ≡ c2 − eTc1

Identity Based Encryption

PKG Setup A with trapdoor s Alice Bob u = H(ID) (c1, c2) = DualEnc(u, mA)

Identity Based Encryption

PKG Setup A with trapdoor s Alice Bob u = H(ID) (c1, c2) = DualEnc(u, mA) sIDB?

Identity Based Encryption

PKG Setup A with trapdoor s Alice Bob u = H(ID) (c1, c2) = DualEnc(u, mA) sIDB? e = f −1(u) Extract

Identity Based Encryption

PKG Setup A with trapdoor s Alice Bob u = H(ID) (c1, c2) = DualEnc(u, mA) sIDB? e = f −1(u) Extract DualDec(c1, c2)

Identity Based Encryption

PKG Setup A with trapdoor s Alice Bob u = H(ID) (c1, c2) = DualEnc(u, mA) sIDB? e = f −1(u) Extract DualDec(c1, c2)

Functional Encryption

PKG Setup f(x, y) Alice Bob Carol Dave Eve Fred

Functional Encryption

PKG Setup f(x, y) Alice Bob Carol Dave Eve Fred syA syB syC syD syE syF

Functional Encryption

PKG Setup f(x, y) Alice Bob Carol Dave Eve Fred policy x cA = EncxA(mA)

Functional Encryption

PKG Setup f(x, y) Alice Bob Carol Dave Eve Fred policy x cA = EncxA(mA) DecyB(cA) DecyC(cA)

Attribute Based Encryption

PKG Setup Alice Bob Carol Dave Eve Fred

Attribute Based Encryption

PKG Setup Alice Bob Carol Dave Eve Fred sA sB sC sD sE sF

Attribute Based Encryption

PKG Setup Alice Bob Carol Dave Eve Fred policy P cA = EncP(mA)

Attribute Based Encryption

PKG Setup Alice Bob Carol Dave Eve Fred policy P cA = EncP(mA) DecsB(cA) DecsC(cA)

Fully Homomorphic Encryption

◮ Operations over encrypted messages

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

◮ Bootstrapping

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

◮ Bootstrapping ◮ Initially close to GGH cryptosystem

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

◮ Bootstrapping ◮ Initially close to GGH cryptosystem ◮ Now: RLWE and NTRU-like

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

◮ Bootstrapping ◮ Initially close to GGH cryptosystem ◮ Now: RLWE and NTRU-like ◮ Not practical yet

Fully Homomorphic Encryption

◮ Operations over encrypted messages ◮ Evaluate functions with encrypted arguments ◮ Very interesting applications ◮ The error allows the computation, but can’t decrypt after

some point

◮ Bootstrapping ◮ Initially close to GGH cryptosystem ◮ Now: RLWE and NTRU-like ◮ Not practical yet ◮ More with Zvika Brakerski

Conclusion

◮ Worst case reductions

Conclusion

◮ Worst case reductions ◮ Efficient (at least asymptotically): ˜

O(n)

Conclusion

◮ Worst case reductions ◮ Efficient (at least asymptotically): ˜

O(n)

◮ Cryptomania: IBE, FE, ABE, FHE

Conclusion

◮ Worst case reductions ◮ Efficient (at least asymptotically): ˜

O(n)

◮ Cryptomania: IBE, FE, ABE, FHE ◮ Post-quantum cryptography

Conclusion

◮ Worst case reductions ◮ Efficient (at least asymptotically): ˜

O(n)

◮ Cryptomania: IBE, FE, ABE, FHE ◮ Post-quantum cryptography ◮ Lattices are not yet recommended by NSA!

References

• M. Ajtai.

Generating hard instances of lattice problems (extended abstract). In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, STOC ’96, pages 99–108, New York, NY, USA, 1996. ACM. L Babai. On lov´ asz lattice reduction and the nearest lattice point problem. Combinatorica, (6), 1986. Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In EUROCRYPT, pages 1–17, 2013. Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. IACR Cryptology ePrint Archive, 2013:451, 2013. Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. crypto.stanford.edu/craig. Craig Gentry and Shai Halevi. Hierarchical identity based encryption with polynomially many levels. In TCC, pages 437–456, 2009. Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In CRYPTO (1), pages 75–92, 2013.

Jeffrey Hoffstein, Jill Pipher, and J.H. Silverman. An Introduction to Mathematical Cryptography. Springer Publishing Company, Incorporated, 1 edition, 2008. Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. Ntru: A ring-based public key cryptosystem. In Lecture Notes in Computer Science, pages 267–288. Springer-Verlag, 1998. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. Advances in Cryptology EUROCRYPT 2010, 6110/2010(015848):1?23, 2010. Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 700–718. Springer Berlin Heidelberg, 2012. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the thirty-seventh annual ACM symposium on Theory of computing, STOC ’05, pages 84–93, New York, NY, USA, 2005. ACM. Damien Stehl´ e and Ron Steinfeld. Making ntru as secure as worst-case problems over ideal lattices. In Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology, EUROCRYPT’11, pages 27–47, Berlin, Heidelberg, 2011. Springer-Verlag.

Thank you

Questions?