Transcript Blue Border - Courant Institute of Mathematical Sciences

Lattice-Based Cryptography
Cryptographic Hardness
Assumptions

Factoring is hard

Discrete Log Problem is hard


Diffie-Hellman problem is hard

Decisional Diffie-Hellman problem is hard
Problems involving Elliptic Curves are hard

Many assumptions
Why Do We Need More
Assumptions?



Number theoretic functions are rather slow
Factoring, Discrete Log, Elliptic curves are
“of the same flavor”
Quantum computers break all number
theoretic assumptions
Lattice-Based Cryptography

Seemingly very different assumptions from
factoring, discrete log, elliptic curves

Simple descriptions and implementations

Very parallelizable

Resists quantum attacks (we think)

Security based on worst-case problems
Average-Case Assumptions vs.
Worst-Case Assumptions

Example: Want to base a scheme on
factoring

Need to generate a “hard-to-factor” N

How?

Need a “hard distribution”
Picking a Hard-to-Factor N
How do you pick a “good” N?
Just pick p,q as random large primes and set N=pq?
(1978) Largest prime factors of p-1,q-1 should be large
(1981) p+1 and q+1 should have a large prime factor
(1982) If the largest prime factor of p-1 and q-1 is p' and q',
then p'-1 and q'-1 should have large prime factors
(1984) If the largest prime factor of p+1 and q+1 is p' and q',
then p'-1 and q'-1 should have large prime factors
...
Picking a Hard-to-Factor N
Need to know a probability distribution over
Z such that picking an N according to it will
make N hard to factor
Wishful thinking: There is a distribution D
such that factoring in the worst case
reduces to factoring numbers chosen
according to D
Lattice Problems
Worst-Case
Average-Case
Small Integer
Solution
Problem (SIS)
Learning With
Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Minicrypt)
(Cryptomania)
Shortest Independent Vector
Problem (SIVP)
Find n short linearly independent vectors
Shortest Independent Vector
Problem (SIVP)
Find n short linearly independent vectors
Approximate Shortest
Independent Vector Problem
Find n pretty short linearly independent vectors
Lattice Problems
Worst-Case
Average-Case
Small Integer
Solution
Problem (SIS)
Learning With
Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Minicrypt)
(Cryptomania)
SIVP
Worst-Case
quantum
BDD
Average-Case
Small Integer
Solution
Problem (SIS)
Learning With
Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Minicrypt)
(Cryptomania)
Small Integer Solution Problem
Given: Random vectors a1,...,am in Zqn
Find: non-trivial solution z1,...,zm in {-1,0,1} such that:
z1
a1
+ z2
a2
+ … + zm
am
=
0 in Zqn
Observations:
If size of z is not restricted, then the problem is trivial
i
Immediately implies a collision-resistant hash function
SIVP
Worst-Case
BDD
Average-Case
Small Integer
Solution
Problem (SIS)
Learning With
Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Minicrypt)
(Cryptomania)
For Any Lattice ...
Consider the distribution obtained by:
1. Pick a uniformly random lattice point
2. Sample from a Gaussian distribution centered at
the lattice point
One-Dimensional Gaussian
Distribution
Two-Dimensional Gaussian
Distribution
Image courtesy of wikipedia
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Shortest Independent Vector
Problem (SIVP)
Find n short linearly independent vectors
Standard deviation of Gaussian that leads to the uniform
distribution is related to the length of the longest vector
in SIVP solution
Worst-Case to Average-Case
Reduction
Worst-Case to Average-Case
Reduction
Worst-Case to Average-Case
Reduction
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
Important: All lattice points have label (0,0)
and
All points labeled (0,0) are lattice points
(0n in n dimensional lattices)
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
How to use the SIS oracle to find a short vector in any lattice:
Repeat m times:
Pick a random lattice point
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
How to use the SIS oracle to find a short vector in any lattice:
Repeat m times:
Pick a random lattice point
Gaussian sample a point around the lattice point
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
How to use the SIS oracle to find a short vector in any lattice:
Repeat m times:
Pick a random lattice point
Gaussian sample a point around the lattice point
All the samples are uniform in Zqn
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
How to use the SIS oracle to find a short vector in any lattice:
Repeat m times:
Pick a random lattice point
Gaussian sample a point around the lattice point
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
= vi
= si
vi + ri = si
s1z1+...+smzm is a lattice vector
(v1+r1)z1+...+(vm+rm)zm is a lattice vector
(v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice vector
So r1z1+...+rmzm is a lattice vector
2
1
0
2
1
0
2
1
0
1
2
0
1
2
0
1
2
0
1
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … + amzm = 0
= vi
= si
vi + ri = si
So r1z1+...+rmzm is a lattice vector
ri are short vectors, zi are in {-1,0,1}
So r1z1+...+rmzm is a short lattice vector
Some Technicalities

You can’t sample a “uniformly random” lattice point
 In
the proofs, we work with Rn / L rather than Rn
 So
you don't need to sample a random point lattice point

What if r1z1+...+rmzm is 0?
 Can
show that with high probability it isn't
 Given
an si, there are multiple possible ri
• Gaussian sampling doesn’t give us points on the grid
 You
can round to a grid point
 Must
be careful to bound the “rounding distance”