On Lattices for Cryptography Jheyne N. Ortiz 1 Robson R. Araujo 2 - - PowerPoint PPT Presentation

On Lattices for Cryptography

Jheyne N. Ortiz1 Robson R. Araujo2 Sueli I.R. Costa2 Ricardo Dahab1 Diego F. Aranha1

1 - IC/Unicamp 2 - Imecc/Unicamp

July 25, 2018 LAWCI - Latin American Week on Coding and Information Unicamp, Campinas - SP

Outline

Post-quantum Cryptography Conventional Cryptography Quantum Computing Post-quantum Cryptography Lattices Lattice-based cryptography Aspects of algebraic number theory Choosing lattice parameters

2 / 19

Post-quantum Cryptography

Conventional Cryptography

Cryptography consists in protocols and algorithms for providing ◮ integrity; ◮ confidentiality; ◮ authenticity; and ◮ non-repudiation.

3 / 19

Post-quantum Cryptography

Conventional Cryptography

Cryptography consists in protocols and algorithms for providing ◮ integrity; ◮ confidentiality; ◮ authenticity; and ◮ non-repudiation. These properties can be obtained by adopting a combination of encryption schemes, key-encapsulation mechanisms, digital signatures, key-exchange protocols, and hash functions. Keywords: TLS protocol, RSA, ECDSA, SHA-2, AES.

3 / 19

Post-quantum Cryptography

Quantum Computing, Bristlecone

Figure 1: New Google’s quantum computer with 72 qubits.

4 / 19

Post-quantum Cryptography

Quantum Computing

Quantum computers are an imminent threat to public-key cryptography. Shor’s quantum algorithm can be used to solve integer factorization and discrete logarithm problems [Sho97]. It implies the end of RSA- and ECC-based cryptographic schemes.

5 / 19

Post-quantum Cryptography

Quantum Computing

Quantum computers are an imminent threat to public-key cryptography. Shor’s quantum algorithm can be used to solve integer factorization and discrete logarithm problems [Sho97]. It implies the end of RSA- and ECC-based cryptographic schemes. Problem: A large amount of past and present personal data unprotected from future quantum computational power.

5 / 19

Post-quantum Cryptography

Post-quantum Cryptography

Classes of hard computational problems that support new cryptographic primitives for which efficient quantum algorithms are still unknown.

6 / 19

Post-quantum Cryptography

NIST’s Call for Post-quantum Standards

7 / 19

Post-quantum Cryptography

Post-quantum Submissions

Lattices 28 Codes 24 Multivariate 13 Hash 4 Others 13 ◮ Submissions include encryption schemes, digital signatures, and key-encapsulation mechanisms. ◮ Lattice-based cryptography already provides a whole framework of cryptographic primitives!

8 / 19

Lattices

Definition of lattice

Let B = {b1, . . . , bm} ⊂ Rn be a set of m linearly independent vectors, m ≤ n. The set Λ = Λ(B) =

m

• i=1

xibi : xi ∈ Z

• is called lattice of rank m in Rn.

If n = m, the lattice Λ(B) is called a full-rank lattice. Remark 1: A lattice is an additive discrete subgroup of Rn. Remark 2: In this work we consider only full-rank lattices.

9 / 19

Lattices

Example in R2

Example of the full-rank lattice Λ(B) ⊂ R2 with basis B = {(1, 1), (1, −1)}.

b1 b2

10 / 19

Lattices

Some computational problem over lattices

Consider Λ = Λ(B) ⊂ Rn a full-rank lattice and γ = γ(n) ≥ 1 a real number which grows as a function of n, called approximation factor. ◮ Shortest Vector Problem (SVP): Find c ∈ Λ such that c = λ1(Λ), where λ1(Λ) := min0=v∈Λ v is called the minimum distance of Λ. ◮ Approximate SVP (SVPγ): Find c = 0 in Λ such that c ≤ γ(n)λ1(Λ). ◮ Bounded Distance Decoding Problem (BDDγ): if t ∈ Rn is a target point such that t − v < λ1(Λ)/(2γ(n)), for all v ∈ Rn, the BDDγ consists in finding the unique c ∈ Λ such that t − c < λ1(Λ)/(2γ(n)). In general, these problems are very hard.

11 / 19

Lattice-based cryptography

Foundations of Lattice-based Cryptography

Short Integer Solution [Ajt96]. Given m uniformly random vectors ai ∈ Zn

q, the SIS problem to find a nontrivial vector

z = (z1, . . . , zm) ∈ Zm of norm z ≤ β such that

m

• i=1

ai · zi = 0 ∈ Zn

q, for β being a positive real, and n, q positive

integer numbers. Learning with Errors [Reg05]. The LWE problem defines a distribution over Zn

q × Zq, where the samples are of the form

(a, b = s, a + e mod q), for s ∈ Zn

q a fixed element called the

secret, a ∈ Zn

q a uniformly random element, and e ∈ ψ sampled

from an error distribution ψ (q and n as in SIS problem). Search version of LWE problem consists to find s given m independent samples (ai, bi) ∈ Zn

q × Zq drawn from the LWE

distribution for a uniformly random secret s.

12 / 19

Aspects of algebraic number theory

Number fields and ring of integers

A field K is said to be a number field if K ≃ Q[x] f (x) where f (x) ∈ Q[x] is a monic irreducible polynomial. The degree

• f f (x) is called the degree of K.

The set R = OK = {a ∈ K : ∃g(x) ∈ Z[x] s.t. g(a) = 0} is a ring called the ring of integers of K.

13 / 19

The number field K of degree n is said to be totally complex if there exists exaclty n monomorphisms σi : K − → R (1 ≤ i ≤ n), where σi+n/2 = σi for 1 ≤ i ≤ n/2. From now on, suppose that K is a totally complex number field. The map σ : K − → Rn defined as σ(a) =

• Re(σ1(a)), Im(σ1(a)), . . . , Re(σn/2(a)), Im(σn/2(a))
• is known as canonical embedding.

If α ∈ R = OK satisfies ai := σi(α) ∈ R>0, α is called totally positive and we define the map σα : K − → Rn as σα(a) =

√

2a1Re(σ1(a)), √ 2a1Im(σ1(a)), . . . ,

• 2an/2Im(σn/2(a))
• is called twisted embedding.

If I is an ideal of R then σ(I) and σα(I) are full-rank lattices in Rn.

14 / 19

Lattice-based cryptography

Learning with Errors over Rings

Consider J∨ = {a ∈ K : TrK/Q(a) ⊂ Z} the dual of an ideal J ⊂ R, Rq = R/qR, where q ≥ 2 is an integer number, KR = K ⊗Q R and T = KR/R∨. Learning with Errors over rings (Ring-LWE) [LPR10] The distribution Ring-LWE outputs samples of the form (a, b = (a · s)/q + e mod R∨) ∈ Rq × T, for the secret s ∈ R∨

q , where a ← Rq is uniformly randomized and

e ← ψ, where ψ is an error distribution over KR. Ring-LWE search version: for a family of distributions Ψ over KR, it consists to the secret s given arbitrary many independent samples from the Ring-LWE distribution, for some arbitrary s ∈ R∨

q and ψ ∈ Ψ.

15 / 19

Choosing lattice parameters

Twisted Ring-LWE

In usual Ring-LWE, the error e is randomized as an inverse image

• f ˜

e ∈ Rn via the canonical embedding: e = σ−1(˜ e). If we change σ by σα and choose e to be e = σ−1

α (˜

e) for some ˜ e ∈ Rn we have a new version of the Ring-LWE called α-Ring-LWE. Hardness proof [OAD+18] If α ∈ OK is totally positive, the search version of Ring-LWE is reducible to the search version of α-Ring-LWE.

16 / 19

Choosing lattice parameters

Efficiency versus security

◮ Encoding and decoding of cryptographic systems over LWE are usually done using the lattice Zk. Recently, [vP16] proposed change Zk by Leech lattice Λ24 and obtained an improvement of more than 10% in bandwidth. In our opinion, the use of the twisted construction can provide similar analysis for Ring-LWE based cryptographic systems. ◮ Attacks have been made against some instances of Ring-LWE using good properties of specific number fields. Because of this, it had been suggested to change the number fields that have been used (cyclotomic, for example) by non Galoisian and/or non monogenic number fields.

17 / 19

References I

• M. Ajtai.

Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-eighth Annual ACM Symposium on Theory

• f Computing, STOC ’96, pages 99–108, New York, NY, USA, 1996.

ACM. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On Ideal Lattices and Learning with Errors over Rings, pages 1–23. Springer Berlin Heidelberg, Berlin, Heidelberg, 2010. Jheyne N. Ortiz, Robson R. Araujo, Ricardo Dahab, Diego F. Aranha, and Sueli I. R. Costa. In praise of twisted canonical embedding. Cryptology ePrint Archive, Report 2018/356, 2018. https://eprint.iacr.org/2018/356.

18 / 19

References II

Oded Regev. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In Proceedings of the Thirty-seventh Annual ACM Symposium on Theory

• f Computing, STOC ’05, pages 84–93, New York, NY, USA, 2005. ACM.

Peter W. Shor. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput., 26(5):1484–1509, October 1997. Alex van Poppelen. Cryptographic decoding of the Leech lattice. Cryptology ePrint Archive, Report 2016/1050, 2016. http://eprint.iacr.org/2016/1050.

19 / 19