Some Recent Progress in Lattice-Based Cryptography Chris Peikert - - PowerPoint PPT Presentation

Some Recent Progress in Lattice-Based Cryptography Chris Peikert

SRI TCC 2009

1 / 17

Lattice-Based Cryptography

N = p · q

y = g

x

m

• d

p

me mod N

e(ga, gb)

= ⇒

(Images courtesy xkcd.org) 2 / 17

Lattice-Based Cryptography

= ⇒

(Images courtesy xkcd.org) 2 / 17

Lattice-Based Cryptography

= ⇒ Why? ◮ Simple & efficient: linear, parallelizable ◮ Resists subexp & quantum attacks (so far) ◮ Security from worst-case assumptions [Ajtai96,. . . ]

(Images courtesy xkcd.org) 2 / 17

If We Had 6 Hours. . .

◮ Worst-case / average-case reductions

[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]

◮ Cryptanalysis & concrete parameters

[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]

◮ Cyclic / Ideal lattices

[Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]

⋆ Efficiency — complements general techniques

!! Functionality — uses ‘extra features’ of ideals

◮ Complexity of lattice problems

⋆ Hardness

[vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]

⋆ Limits on hardness

[LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]

3 / 17

If We Had 6 Hours. . .

◮ Worst-case / average-case reductions

[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]

◮ Cryptanalysis & concrete parameters

[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]

◮ Cyclic / Ideal lattices

[Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]

⋆ Efficiency — complements general techniques

!! Functionality — uses ‘extra features’ of ideals

◮ Complexity of lattice problems

⋆ Hardness

[vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]

⋆ Limits on hardness

[LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]

3 / 17

If We Had 6 Hours. . .

◮ Worst-case / average-case reductions

[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]

◮ Cryptanalysis & concrete parameters

[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]

◮ Cyclic / Ideal lattices

[Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]

⋆ Efficiency — complements general techniques

!! Functionality — uses ‘extra features’ of ideals

◮ Complexity of lattice problems

⋆ Hardness

[vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]

⋆ Limits on hardness

[LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]

3 / 17

If We Had 6 Hours. . .

◮ Worst-case / average-case reductions

[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]

◮ Cryptanalysis & concrete parameters

[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]

◮ Cyclic / Ideal lattices

[Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]

⋆ Efficiency — complements general techniques

!! Functionality — uses ‘extra features’ of ideals

◮ Complexity of lattice problems

⋆ Hardness

[vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]

⋆ Limits on hardness

[LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]

3 / 17

If We Had 6 Hours. . .

◮ Worst-case / average-case reductions

[Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ]

◮ Cryptanalysis & concrete parameters

[LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ]

◮ Cyclic / Ideal lattices

[Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ]

⋆ Efficiency — complements general techniques

!! Functionality — uses ‘extra features’ of ideals

◮ Complexity of lattice problems

⋆ Hardness

[vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ]

⋆ Limits on hardness

[LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ]

3 / 17

This Talk

Hard Avg-Case Problems

4 / 17

This Talk

Hard Avg-Case Problems Crypto Functions Abstract Properties

4 / 17

This Talk

Hard Avg-Case Problems Crypto Functions Abstract Properties Applications

4 / 17

This Talk

Hard Avg-Case Problems Crypto Functions Abstract Properties Applications Goals

1 ‘De-mystify’ lattice-based crypto

4 / 17

This Talk

Hard Avg-Case Problems Crypto Functions Abstract Properties Applications Goals

1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective

4 / 17

This Talk

Hard Avg-Case Problems Crypto Functions Abstract Properties Applications Goals

1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 3 Answer your questions

4 / 17

Lattices

◮ Today: full-rank subgroup L of Zm

(x, y ∈ L ⇒ x ± y ∈ L; dim span = m)

O 5 / 17

Lattices

◮ Today: full-rank subgroup L of Zm ◮ Basis B = {b1, . . . , bm} : L =

m

• i=1

(Z · bi)

O b1 b2 5 / 17

Lattices

◮ Today: full-rank subgroup L of Zm ◮ Basis B = {b1, . . . , bm} : L =

m

• i=1

(Z · bi)

O b1 b2 5 / 17

Lattices

◮ Today: full-rank subgroup L of Zm ◮ Basis B = {b1, . . . , bm} : L =

m

• i=1

(Z · bi)

(Other representations too . . . )

O b1 b2 5 / 17

Lattices

◮ Today: full-rank subgroup L of Zm ◮ Basis B = {b1, . . . , bm} : L =

m

• i=1

(Z · bi)

(Other representations too . . . )

O b1 b2

Hard Computational Problems ◮ Find ‘relatively short’ (nonzero) vectors ◮ Estimate geometric quantities

(minimum distance, covering radius, . . . )

5 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

  | a1 |     | a2 |   · · ·   | am |   ∈ Zn

q

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

◮ Goal: find nontrivial z1, . . . , zm ∈ {0, ±1} such that: z1 ·   | a1 |   + z2 ·   | a2 |   + · · · + zm ·   | am |   =   | |   ∈ Zn

q

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

◮ Goal: find nontrivial z ∈ {0, ±1}m such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

◮ Goal: find nontrivial z ∈ {0, ±1}m such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Hash Function

[Ajtai96,GGH97]

◮ Set m > n lg q. Define fA : {0, 1}m → Zn

q

fA(x) = Ax

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

◮ Goal: find nontrivial z ∈ {0, ±1}m such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Hash Function

[Ajtai96,GGH97]

◮ Set m > n lg q. Define fA : {0, 1}m → Zn

q

fA(x) = Ax ◮ Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . .

6 / 17

A Combinatorial Problem

◮ Security param n, modulus q: group Zn

q

(e.g., q = poly(n))

◮ Goal: find nontrivial z ∈ {0, ±1}m such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Hash Function

[Ajtai96,GGH97]

◮ Set m > n lg q. Define fA : {0, 1}m → Zn

q

fA(x) = Ax ◮ Collision x, x′ ∈ {0, 1}m where Ax = Ax′ . . . . . . yields solution z = x − x′ ∈ {0, ±1}m.

6 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0}

O 7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0) 7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0) 7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0)

Average / Worst-Case Connection

[Ajtai96,. . . ]

Finding ‘short’ nonzero z ∈ L⊥(A) ⇓ approx lattice problems in worst case

7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0)

Average / Worst-Case Connection

[Ajtai96,. . . ]

Finding ‘short’ nonzero z ∈ L⊥(A) ⇓ approx lattice problems in worst case

7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0} ◮ Each x ∈ Zm has syndrome u = Ax ∈ Zn

q

O (0, q) (q, 0) x

Average / Worst-Case Connection

[Ajtai96,. . . ]

Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case

7 / 17

Geometric Perspective

◮ ‘Parity check’ matrix A ∈ Zn×m

q

L⊥(A) = {z ∈ Zm : Az = 0} ◮ Each x ∈ Zm has syndrome u = Ax ∈ Zn

q

◮ Enlarge domain of fA to . . . . . . still O-W & C-R!

O (0, q) (q, 0) x

Average / Worst-Case Connection

[Ajtai96,. . . ]

Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case

7 / 17

Gaussians and Lattices

8 / 17

Gaussians and Lattices

8 / 17

Gaussians and Lattices

8 / 17

Gaussians and Lattices

“Uniform” over Rm when std dev ≥ min basis length

(Used in worst/average-case reductions [Re03,MR04,. . . ])

8 / 17

Discrete Gaussians

◮ Fix uniform A. Choose Gaussian input x ∈ Zm:

x 9 / 17

Discrete Gaussians

◮ Fix uniform A. Choose Gaussian input x ∈ Zm:

1 Uniform coset/syndrome u = Ax = fA(x)

x 9 / 17

Discrete Gaussians

◮ Fix uniform A. Choose Gaussian input x ∈ Zm:

1 Uniform coset/syndrome u = Ax = fA(x) 2 Conditional ‘discrete Gaussian’ DA,u on x, given u

9 / 17

Discrete Gaussians

◮ Fix uniform A. Choose Gaussian input x ∈ Zm:

1 Uniform coset/syndrome u = Ax = fA(x) 2 Conditional ‘discrete Gaussian’ DA,u on x, given u (Analyzed in [Ba93,Re03,AR04,MR04,Re05,PR06,LM06,Pe07,. . . ])

9 / 17

A ‘Master’ Trapdoor

Suitable ‘trapdoor’ ⇓ Invert fA in a very strong sense

10 / 17

A ‘Master’ Trapdoor

Short basis B of L⊥(A) ⇓ Invert fA in a very strong sense

10 / 17

A ‘Master’ Trapdoor

Short basis B of L⊥(A) ⇓ Invert fA in a very strong sense Theorem

[GPV08]

Given any short B and u, can efficiently sample x ← f −1

A (u)

according to DA,u

10 / 17

A ‘Master’ Trapdoor

Short basis B of L⊥(A) ⇓ Invert fA in a very strong sense Theorem

[GPV08]

Given any short B and u, can efficiently sample x ← f −1

A (u)

according to DA,u ◮ Dist DA,u leaks nothing about B !

10 / 17

A ‘Master’ Trapdoor

Short basis B of L⊥(A) ⇓ Invert fA in a very strong sense Theorem

[GPV08]

Given any short B and u, can efficiently sample x ← f −1

A (u)

according to DA,u ◮ Dist DA,u leaks nothing about B ! ◮ Generate A with B [Aj99,AP09]

10 / 17

Abstractly: Preimage Sampleable Function

D R x u fA

11 / 17

Abstractly: Preimage Sampleable Function

D R x u fA

11 / 17

Abstractly: Preimage Sampleable Function

D R x u f −1

A

11 / 17

Abstractly: Preimage Sampleable Function

D R x u f −1

A

◮ Generalizes TDPs, claw-free pairs, Rabin, . . .

11 / 17

Abstractly: Preimage Sampleable Function

D R x u f −1

A

◮ Generalizes TDPs, claw-free pairs, Rabin, . . . ◮ Can generate (x, u) in two equivalent ways:

11 / 17

Abstractly: Preimage Sampleable Function

D R x u f −1

A

◮ Generalizes TDPs, claw-free pairs, Rabin, . . . ◮ Can generate (x, u) in two equivalent ways: REAL SIMULATION R u x

f −1

A

D x u

fA

11 / 17

Abstractly: Preimage Sampleable Function

D R x u f −1

A

◮ Generalizes TDPs, claw-free pairs, Rabin, . . . ◮ Can generate (x, u) in two equivalent ways: REAL SIMULATION R u x

f −1

A

D x u

fA

◮ Apps: ‘hash-and-sign’ sigs [GPV08], NISZK [PV08], . . .

11 / 17

Onward, to Cryptomania . . .

12 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. a1 , b1 = a1 , s + e1 a2 , b2 = a2 , s + e2 . . .

13 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. a1 , b1 a2 , b2 . . .

13 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. m            . . . At . . .     ,     . . . b . . .     = Ats + e

13 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. m            . . . At . . .     ,     . . . b . . .     = Ats + e ◮ Generator matrix At: L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q} ‘Bounded-distance’ (unique) decoding

13 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. m            . . . At . . .     ,     . . . b . . .     = Ats + e ◮ Generator matrix At: L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q} ‘Bounded-distance’ (unique) decoding ◮ Worst-case hardness

[Re05,Pe09]

13 / 17

Learning with Errors

◮ Goal: distinguish ‘noisy inner products’ from uniform. m            . . . At . . .     ,     . . . b . . .     = Ats + e ◮ Generator matrix At: L(A) = {z ∈ Zm : ∃s. z ≡ Ats mod q} ‘Bounded-distance’ (unique) decoding ◮ Worst-case hardness

[Re05,Pe09]

◮ Basis of much crypto

[Re05,PW08,GPV08,PVW08,CDMW08,AGV09,CPS09,. . . ] 13 / 17

Key Agreement & Encryption

A x s, e

14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key) 14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key)

b = Ats + e

(ciphertext ‘preamble’) 14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key)

b = Ats + e

(ciphertext ‘preamble’)

b′ = u, s + e′

(key / ‘pad’) 14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ = u, s + e′

(key / ‘pad’) 14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ = u, s + e′

(key / ‘pad’)

(A, u, b, b′)

14 / 17

Key Agreement & Encryption

A x s, e u = Ax

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ = u, s + e′

(key / ‘pad’)

(A, u, b, b′)

14 / 17

ID-Based Encryption [GPV08]

A s, e u = H(“alice”)

(public key)

b = Ats + e

(ciphertext randomness)

x, b ≈ u, s b′ = u, s + e′

(key / ‘pad’)

x ← f −1

A (u)

15 / 17

Some Open Areas

1 Hash-and-sign sigs / IBE without random oracle ?

RSA / pairing-style ‘accumulator’ ?

16 / 17

Some Open Areas

1 Hash-and-sign sigs / IBE without random oracle ?

RSA / pairing-style ‘accumulator’ ?

2 More expressive encryption / IBE schemes ?

16 / 17

Some Open Areas

1 Hash-and-sign sigs / IBE without random oracle ?

RSA / pairing-style ‘accumulator’ ?

2 More expressive encryption / IBE schemes ? 3 Connections to number-theoretic problems ?

16 / 17

Further Reading

◮ Survey “Cryptographic functions from worst-case complexity assumptions” [Micciancio07] ◮ Survey “Lattice-based cryptography” [MicciancioRegev09]

17 / 17

Further Reading

◮ Survey “Cryptographic functions from worst-case complexity assumptions” [Micciancio07] ◮ Survey “Lattice-based cryptography” [MicciancioRegev09]

Thanks!

17 / 17