PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 - - PowerPoint PPT Presentation

problems
SMART_READER_LITE
LIVE PREVIEW

PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 - - PowerPoint PPT Presentation

Sep 28, 2022 362 likes •735 views

MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS Akinori Kawachi, KeisukeTanaka, and Keita Xagawa PKC 2007 (Tokyo Institute ofTechnology) Agenda Background Our Results Conclusion Agenda Background Lattices Lattice

slide-1
SLIDE 1

MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS

Akinori Kawachi, KeisukeTanaka, and Keita Xagawa (Tokyo Institute ofTechnology)

PKC 2007

slide-2
SLIDE 2

Agenda

 Background  Our Results  Conclusion

slide-3
SLIDE 3

Agenda

 Background

 Lattices  Lattice problems  Lattice-based cryptosystems  Motivation

 Our Results  Conclusion

slide-4
SLIDE 4

Lattices

 Given: B=[b1,...,bn]  L(B) := {Σiαibi | αi∈Z for all i}

L b2 b1

slide-5
SLIDE 5

SVP (ShortestVector Problem)

2b1-3b2 b2 b1 SVP:

Given a basis B of a lattice L, find a shortest non-zero vector v in L

slide-6
SLIDE 6

uSVP (unique ShortestVector Problem)

v

v: 2-unique

slide-7
SLIDE 7

Hardness of uSVP

 If f < g, f-uSVP is not easier than g-uSVP

 v:g-uniquev:f-unique

 f=1NP-hard [Kumar and Sivakumar ‘01]  f=n1/4coAM (seems not NP-hard) [Cai ‘98]  f=poly(n)?  Assumption:

 If f=poly(n), f-uSVP is intractable in the worst-case

slide-8
SLIDE 8

Lattice-BasedCryptosystems

 Based on lattice problems

 SVP, uSVP, CVP, and etc

 Advantages

 Fast encryption and decryption  (Seemes) hard to attack with quantum power

 Two types

 TypeA: efficient, but no security proofs  Type B: security proofs, but inefficient

slide-9
SLIDE 9

RelatedWorks

GGH

[Goldreich, Goldwasser, and Halevi ‘98]

NTRU

[Hoffstein, Pipher, and Silverman ‘98]

ADGGH (Errorless version of AD cryptosystem)

[Goldreich, Goldwasser, and Halevi ‘98]

Regev04

[Regev ‘04]

Regev05

[Regev ’05]

Ajtai 05

[Ajtai ’05]

AD

[Ajtai and Dwork ’97]

Type A Type B

slide-10
SLIDE 10

Type B

 ADGGH, Regev04, Regev05, and Ajtai05  Advantage

 Provable security

 with average-case/worst-case connection (except Ajtai05)  Disadvantages

 |pk| is huge  |plaintext|=1

slide-11
SLIDE 11

Motivation

 Towards practical lattice-based cryptosystems in

Type B

  • 1. |pk|small
  • 2. |plaintext|large

 w/o changing |cipher|

slide-12
SLIDE 12

Agenda

 Background  Our Results

 Summary  Review of Regev04  Our technique  Analysis of trade-off  Pseudohomomorphism

 Conclusion

slide-13
SLIDE 13

Our Results

 Results

 Proposal of multi-bit versions ofType B

 ADGGH, Regev04, Regev05, and Ajtai05

 Analysis of the trade-off

 between the size of plaintext and security levels

 Pseudohomomorphism

 ADGGH, Regev04, Regev05, and Ajtai05

slide-14
SLIDE 14

Eg: Regev04

 Security parameter: n

 n is the dimension of lattices

 Key Generation  Encryption  Decryption

 Decryption Errors

 Security Reduction

slide-15
SLIDE 15

 Choose private priod d  Consider periodic Gaussian distrib. with variance α2

Regev04 - Key Generation 1

N=28n2 d

Probability

slide-16
SLIDE 16

 Choose a1,…,am according to the distribution

Regev04 - Key Generation 2

N

slide-17
SLIDE 17

 Decide the index k  ak/2 must be in “bottom”

Regev04 - Key Generation 3

N

ak ak/2

slide-18
SLIDE 18

Regev04 - Key Generation 4

N d

 Secret Key: d  Public Key: a1,…,am,k

ak ak/2

slide-19
SLIDE 19

Regev04 - Encryption of “0”

N d

 r∈R{0,1}m  E(0) = Σi riai mod N

slide-20
SLIDE 20

 r∈R{0,1}m  E(1) = ak/2 + Σi riai mod N

Regev04 - Encryption of “1”

N d

ak/2

slide-21
SLIDE 21

 Received ciphertext is c∈{0,…,N-1}  Consider c mod d

Regev04 - Decryption 1

d

slide-22
SLIDE 22

Regev04 - Decryption 2

d

 Decrypt to “0”

slide-23
SLIDE 23

Regev04 - Decryption 3

d

 Decrypt to “1”

slide-24
SLIDE 24

 Consider c mod d

Regev04 - Decryption Errors

d

slide-25
SLIDE 25

Regev04 - Security

 E(0) vs. E(1) with pk  E(0) vs. U with pk  E(0) vs. U with pk  O(n/α)-uSVP in the worst case

 α2 is the variance of distrib. in key generation

N d

ak/2

slide-26
SLIDE 26

Regev04 - Security

 E(0) vs. E(1) with pk  E(0) vs. U with pk  E(0) vs. U with pk  O(n/α)-uSVP in the worst case

 α2 is the variance of distrib. in key generation

N d

ak/2

O(n/α)-uSVP in the worst case

slide-27
SLIDE 27

OurTechnique

 #plaintext : 2p  Increase # of “waves”

 Same |ciphertext| and |pk|

slide-28
SLIDE 28

Multi Bit - Illustration

d

 E(0): Blue  E(1): Green

slide-29
SLIDE 29

Multi Bit - Illustration

d

 Increase # of “waves”  with ak=(p+1)d+e

ak/p

slide-30
SLIDE 30

Multi Bit - Illustration

d

 make “waves” thin to decrease decrytpion errors  Variance: α2(α/p)2 in key generation

ak/p

slide-31
SLIDE 31

Multi Bit - Illustration

d

 Variance: α2(α/p)2  Underlying Problem: O(n/α)-uSVPO(pn/α)-uSVP

ak/p

slide-32
SLIDE 32

Comparison

Regev04 Ours plaintext 1 log p ciphertext 8n2  public key Õ(n4)  secret key Õ(n2)  security Õ(n1.5)-uSVP Õ(pn1.5)-uSVP

slide-33
SLIDE 33

Comparison - 2

ADGGH Ours Regev04 Ours

plaintext 1

log p 1 log p

security

O(n11)- uSVP O(pn11)- uSVP Õ(n1.5)- uSVP Õ(pn1.5)- uSVP Regev05 Ours Ajtai05 Ours

plaintext 1

log p 1 log p

security

SVPÕ(n1.5) SVPÕ(pn1.5) DA DA’

slide-34
SLIDE 34

Homomorphism of PKE

 E(m)+E(m’)=E(m+m’)

 cf. RSA, Goldwasser-Micali,...

 Do R04 and ours have homomorphism?

 No  Pseudo-homomorphism

slide-35
SLIDE 35

Pseudo-homomorphism

d

 D(blue)=0, D(green)=1  D(blue+green)=1 , D(green+green)=0

ak/2 mod d

slide-36
SLIDE 36

Conclusions

 Results

 Proposal of multi-bit versions ofType B

 ADGGH, Regev04, Regev05, and Ajtai05

 Analysis of the trade-off

 between the size of plaintext and security levels

 Pseudo-homomorphism

 ADGGH, Regev04, Regev05, and Ajtai05  Open Problem

 Q(n)-bit cryptosystems with a/w connection

 We develop O(log n)-bit cryptosystems with a/w  It may require new idea