SLIDE 1
Lattice-based cryptography (I) Thijs Laarhoven ts - - PowerPoint PPT Presentation
Lattice-based cryptography (I) Thijs Laarhoven ts - - PowerPoint PPT Presentation
Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis
SLIDE 2
SLIDE 3
O
Lattices
What is a lattice?
SLIDE 4
O b1 b2
Lattices
What is a lattice?
SLIDE 5
O b1 b2
Lattices
What is a lattice?
SLIDE 6
O b1 b2 s
Lattices
Shortest Vector Problem (SVP)
SLIDE 7
O b1 b2 s
- s
Lattices
Shortest Vector Problem (SVP)
SLIDE 8
O b1 b2 t
Lattices
Closest Vector Problem (CVP)
SLIDE 9
O b1 b2 t v
Lattices
Closest Vector Problem (CVP)
SLIDE 10
O r1 r2 b1 b2
Lattices
Lattice basis reduction
SLIDE 11
Outline
Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction
SLIDE 12
Outline
Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction
SLIDE 13
GGH cryptosystem
Overview
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 14
O
GGH cryptosystem
Private key
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 15
O r1 r2
GGH cryptosystem
Private key
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 16
O r1 r2
GGH cryptosystem
Public key
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 17
O r1 r2 b1 b2
GGH cryptosystem
Public key
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 18
O r1 r2 b1 b2
GGH cryptosystem
Encryption
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 19
O r1 r2 b1 b2 v
GGH cryptosystem
Encryption
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 20
O r1 r2 b1 b2 v c
GGH cryptosystem
Encryption
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 21
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with good basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 22
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with good basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 23
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with good basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 24
O r1 r2 b1 b2 c v'
GGH cryptosystem
Decryption with good basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 25
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with bad basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 26
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with bad basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 27
O r1 r2 b1 b2 c
GGH cryptosystem
Decryption with bad basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 28
O r1 r2 b1 b2 c v'
GGH cryptosystem
Decryption with bad basis
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 29
O r1 r2 b1 b2 c v
GGH cryptosystem
Overview
Private key: R =
- r1
r2
- Public key: B =
- b1
b2
- Encrypt m:
v = mB c = v + e Decrypt c: v′ = ⌊cR−1⌉R m′ = v′B−1
SLIDE 30
Outline
Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction
SLIDE 31
O b1 b2
Gauss reduction
SLIDE 32
O b1 b2
Gauss reduction
SLIDE 33
O b1 b2
Gauss reduction
SLIDE 34
O b1 b2
Gauss reduction
SLIDE 35
O b1 b2
Gauss reduction
SLIDE 36
O b1 b2
Gauss reduction
SLIDE 37
O b1 b2
Gauss reduction
SLIDE 38
Gauss reduction
Given B = {b1,b2}, repeat two steps:
- Swap: If b1 > b2, then swap b1 and b2.
- Reduce: While b2 ± b1 < b2, replace b2 ← b2 ± b1.
SLIDE 39
Gauss reduction
Given B = {b1,b2}, repeat two steps:
- Swap: If b1 > b2, then swap b1 and b2.
- Reduce: While b2 ± b1 < b2, replace b2 ← b2 ± b1.
At the end, b1 is a shortest (non-zero) lattice vector and b2 a “second shortest” (non-zero) lattice vector.
SLIDE 40
Gauss reduction
SLIDE 41
Gauss reduction
SLIDE 42
LLL algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
SLIDE 43
LLL algorithm
SLIDE 44
LLL algorithm
SLIDE 45
LLL algorithm
SLIDE 46
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
SLIDE 47
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
- Basis quality deteriorates with the dimension n
◮ Theoretically: b1 ≤ 1.075n · det( ) ◮ Experimentally: b1 ≈ 1.022n · det( )
SLIDE 48
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
- Basis quality deteriorates with the dimension n
◮ Theoretically: b1 ≤ 1.075n · det( ) ◮ Experimentally: b1 ≈ 1.022n · det( )
Blockwise Korkine-Zolotarev (BKZ) reduction [Sch87, SE94]
- Blockwise generalization of Korkine-Zolotarev reduction
- Do reductions/swaps on (bi,...,bi+k−1) for i = 1,...,n − k + 1
- Blocksize k offers time-quality tradeoff
SLIDE 49
LLL algorithm
SLIDE 50
BKZ algorithm
SLIDE 51
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
- Basis quality deteriorates with the dimension n
◮ Theoretically: b1 ≤ 1.075n · det( ) ◮ Experimentally: b1 ≈ 1.022n · det( )
Blockwise Korkine-Zolotarev (BKZ) reduction [Sch87, SE94]
- Blockwise generalization of Korkine-Zolotarev reduction
- Do reductions/swaps on (bi,...,bi+k−1) for i = 1,...,n − k + 1
- Blocksize k offers time-quality tradeoff
SLIDE 52
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
- Basis quality deteriorates with the dimension n
◮ Theoretically: b1 ≤ 1.075n · det( ) ◮ Experimentally: b1 ≈ 1.022n · det( )
Blockwise Korkine-Zolotarev (BKZ) reduction [Sch87, SE94]
- Blockwise generalization of Korkine-Zolotarev reduction
- Do reductions/swaps on (bi,...,bi+k−1) for i = 1,...,n − k + 1
- Blocksize k offers time-quality tradeoff
BKZ uses exact SVP algorithm in dimension k as subroutine
SLIDE 53
BKZ algorithm
Lenstra-Lenstra-Lovasz (LLL) algorithm [LLL82]
- Blockwise generalization of Gauss reduction
- Do reductions/swaps on (bi,bi+1) for i = 1,...,n − 1
- Basis quality deteriorates with the dimension n
◮ Theoretically: b1 ≤ 1.075n · det( ) ◮ Experimentally: b1 ≈ 1.022n · det( )
Blockwise Korkine-Zolotarev (BKZ) reduction [Sch87, SE94]
- Blockwise generalization of Korkine-Zolotarev reduction
- Do reductions/swaps on (bi,...,bi+k−1) for i = 1,...,n − k + 1
- Blocksize k offers time-quality tradeoff