Lattices and Cryptography

Download Report

Transcript Lattices and Cryptography

MSR Colloquium
December 2, 2009
Joseph Silverman
Brown University & Microsoft Research
The Hitchhiker’s Guide …
Far out in the uncharted backwaters of the
unfashionable end of the Eastern Coast of
Massachusetts lies a small research group whose
ape-descended life forms are so amazingly primitive
that they still think that public key cryptography is a
pretty neat idea.
This talk is about that idea. It will include
+ Some history (much of it true)
+ Some mathematics (most of it accurate)
+ Some miscellaneous observations
Cryptography the Old Fashioned Way
Bob and Alice need to exchange confidential information.
The first thing that they do is share a secret key.
BOB
KEY
KEY
ALICE
KEY
encrypted messages
EVE – the eavesdropper
Without the key, Eve can’t decrypt the message.
So What’s the Problem?
The difficulty is that Bob and Alice need to share the
secret key before they even can get started.
And since repeated use of a secret key is dangerous,
they should change their secret key frequently
Is there any way for Bob and Alice to exchange
confidential information without first sharing a secret key?
The obvious answer is NO – if Eve sees every message
that Bob and Alice send to one another, how can they
possibly exchange secret information.
Enter Whitfield Diffie and Martin Hellman
– stage left – with a brilliant idea!
Diffie and Hellman’s Brilliant Idea
Public Key Cryptography
Suppose that Alice could create a cryptosystem that
uses two different keys: Key1 and Key2
Standard Convention: Green quantities are public
Bob only needs
Key1 to encrypt
message.
knowledge,
red quantities
are keptasecret.
Alice uses Key2 to decrypt the message.
Since Eve does not know Key2 , she cannot
decrypt Bob’s message.
Crucial Property: It is vitally important that knowing
Key1 does not help Eve to determine Key2 .
A Brilliant Idea, But…
The concept of a two key cipher, now known as a
public key cipher or an asymmetric cipher,
is one of the truly brilliant ideas in Diffie and Hellman’s
revolutionary 1976 paper
New Directions in Cryptography.
Unfortunately, it’s not easy to see how to create a two key
cipher. How can the public encryption key Key1 not leak
information about the private decryption key Key2?
And indeed, although Diffie and Hellman defined the
concept of a public key cryptosystem, they were unable to
suggest even a single example!
The Birth of Public Key Cryptography
Within two years of the Diffie-Hellman paper, there were a
small handful of suggested constructions of public key
cryptosystems.
The two most practical were the
• RSA Cryptosystem
invented by Rivest, Shamir, and Adelman.
• Knapsack Cryptosystem
invented by Merkle and Hellman.
Of these two, only RSA has survived, but other systems
have arisen to challenge RSA’s original dominance.
The Public Face of
Public (and Private) Key Cryptography
Blaise de Vigenère’s
1586 book Traicté des
Chiffres describes the
state-of-the-art
cryptography of his day.
Jumping
In 1976 Diffie and Hellman
ahead initiate the
age of public key cryptography
…
four
centuries
and in 1978 Rivest, Shamir, and
Adelman invent the first practical
public key cryptosystem that has
withstood the test of time.
The Public Uproar over
Public Key Cryptography
Diffie and Hellman begin their paper with a call to arms:
We stand today on the brink of a
revolution in cryptography.
The government’s initial reaction was strong:
• They tried to suppress distribution of the RSA paper,
but were stymied since Shamir is not a US citizen.
• The NSA instituted a “voluntary” prepublication review
process for papers on cryptography.
• Mathematicians were told to exclude foreign nationals
from cryptographic related seminars and conferences.
Putting the Genie Back into the Bottle?
The justification for the government’s actions was a
law saying that cryptographic materials are munitions!
This law dates back to the days when cryptographic
materials meant cipher machines and code books
whose internal workings were justifiably top secret.
After a few years, the government realized the futility
of trying to prevent academic discourse about
cryptography, so they came up with a “compromise”:
• It was okay to do crypto research and to publish algorithms
in journals and to give talks at conferences, but…
• foreign distribution of machine readable or executable
crypto programs was forbidden without an export license.
Putting the Genie Back into the Bottle?
As an example of this policy in action, you may recall
that early internet browsers were required to come in
two flavors:
1. A domestic version with high level crypto security.
2. An exportable version with low level (40 bit) security,
which presumably the NSA could break with ease.
There were some huge problems with the government’s
export policy:
First, at some level, optical scanners make the
“machine-readable” criterion obsolete.
This led to the manufacture of…
Machine Readable Crypto Algorithms
The non-exportable
Tee Shirt as Munition
and the
non-exportable
Soda Can as
Munition
An Unsustainable Public Policy
These amusing protests, and other more serious
legal challenges, had some effect in changing
government policy.
But ultimately the policy was rendered moot by two
simple facts:
1. Public key algorithms are simple.
2. The United States does not have a monopoly on
top-notch scientists, engineers, and programmers.
Thus restricting export of “strong crypto products”
simply allowed other countries to create their own
cryptographic and computer security industries.
The Claimants for the Public Key
Cryptography Throne
Practical and Secure Public Key Crypto
A first observation is that in the world of PKC,
“practicality” and “security” are bitter foes.
Public key cryptosystems are based on underlying hard
mathematical problems. For example, RSA is based on
the difficulty of factoring large numbers.
Three problems in particular have been used to
construct practical and secure PKCs.
Integer Factorization
Discrete Logarithm Problem
Lattice Closest Vector Problem
in a Finite Field
on an Elliptic Curve
A Man, A Plan, …
The plan for the rest of this talk:
[1] Give you an idea of what these hard problems are
and how difficult they are to solve.
[2] Compare and contrast the operating characteristics
of the associated public key cryptosystems.
[3] Explain how some of these problems come
equipped with special gadgets that allow them to be
used in novel ways for public key crypto.
What I won’t (have time to) do:
Describe the actual public key
algorithms themselves!
Hard Problem #1: Integer Factorization
Alice’s secret key is two “large” primes p and q.
Alice’s public key is their product N = pq.
Hard Problem: Given k and b, solve the congruence
Xk ≡ b (mod N).
Alice’s Trapdoor: It is easy to solve the congruence if
you know p and q.
The fastest known algorithm to factor N is called the
Number Field Sieve. It takes about exp(c(log N)1/3)
steps. That’s faster than Nε for every ε, but slower
than (log N)d for every d.
HP #2: The Discrete Logarithm Problem
Alice’s secret key is a number e.
Alice’s public key consists of a prime p, a number g,
and its power h ≡ ge (mod p).
Hard Problem: Given p, g, ga (mod p), and gb (mod p),
compute the value of gab(mod p).
Discrete Log Problem: Given p, g, and h, solve the
congruence
gx ≡ h (mod p).
The fastest known algorithm to solve the DLP is called
the Index Calculus. It takes about exp(c(log p)1/3) steps,
so similar to integer factorization.
Security versus Efficiency
RSA depends on the difficulty of factoring integers.
Elgamal depends on the difficulty of the DLP.
Modern methods can factor N and solve the DLP mod p
for values up to around 2500, so…
current standards require that N or p be at least 21000.
More generally, typical security levels are set using
k-bit numbers with k = 1000 or 2000 or 4000 or 8000.
Just how long does it take to do an exponentiation
using k-bit numbers?
With
paper andUsing
pencil
when,
say, kit =takes
1000?
By machine?
k bit
numbers,
about
3 computer instructions.
kLeft
as an exercise for the audience!!
Security versus Efficiency
There are two obvious ways to try to increase
efficiency without sacrificing security.
Find a problem that’s harder
to solve, so we can reduce
the bit size of the numbers.
Lattices
Elliptic Curves
Find a problem where the
computation is faster, say
k2 bit operations.
Elliptic Curve Cryptography
What is an Elliptic Curve?
• An elliptic curve is an object with a dual nature:
• On the one hand, it is a curve, a geometric object.
• On the other hand, we can “add” points on the curve as
if they were numbers, so it is an algebraic object.
• The addition law on an elliptic curve can be described:
• Geometrically using intersections of curves
• Algebraically using polynomial equations
• Analytically
using functions with complex variables
• Elliptic curves appear in diverse areas of mathematics,
ranging from number theory to complex analysis, and
from cryptography to mathematical physics.
What is an Elliptic Curve?
An Elliptic Curve is a curve given by an equation of the form
E : y2 = x3 + Ax + B
A typical elliptic curve
E : Y2 = X3 – 5X + 8
For reasons to be explained shortly, we also toss in an
extra point O “at infinity,” so E is really the set
E = { (x,y) : y2 = x3 + A x + B }  { O }
Adding Points on an Elliptic Curve
R
Q
P
P+Q
The Addition Law on an Elliptic Curve
Ignoring various complications (tangent lines, vertical
lines, …), the addition law has the following properties:
a) P + O = O + P = P
for all P  E.
b) P + (–P) = O
for all P  E.
c) (P + Q) + R = P + (Q + R)
for all P,Q,R  E.
d) P + Q = Q + P
for all P,Q  E.
In mathematical terminology, the addition law + makes
the points of E into a commutative group.
All of the group properties are easy to check except for
the associative law (c).
Elliptic Curves Mod p
Let p be a prime. The solutions to the congruence
y2 ≡ x3 + Ax + B (mod p)
are called the “points” on the elliptic curve E modulo p. We
write E(Fp) for this set of solutions (together with the point O
at infinity).
The formulas for adding points still work for numbers mod p.
For example, here’s the formula for adding two different
points.
3
  y  y 2



 y2  y1 
y

y
2
1
2
1

  x1  x2 ,
  2 x1  x2 
  y1 
x1 , y1   x2 , y2    

x x
 x2  x1 
 x2  x1 
 2 1 

Messy? Yes! But easily programmed and evaluated on a
computer.
Elliptic Curves Mod p
Example:The curve
E : Y2 = X3 – 5X + 8 modulo 37
contains the points
P = (6,3) and Q = (8,31).
Using the addition formulas, we can compute in E(F37):
2P = (35,11) 3P = (34,25) 4P = (8,6) 5P = (16,19) …
P + Q = (34,12)
3P + 4Q = (35,11) …
Question: How many times do I have to add P to itself
in order to get Q?
This is an example of the Elliptic Curve Discrete
Logarithm Problem. [The answer is Q = 11P.]
The Elliptic Curve Discrete Logarithm
Problem
Suppose that you are given two points P and Q in E(Fp).
The Elliptic Curve Discrete Logarithm Problem (ECDLP)
is to find an integer m satisfying
m summands
Q = P + P + … + P = mP.
• If the prime p is large, it is extremely difficult to find m.
For example, here’s an (in)famous 1997 assessment from
Neal Koblitz
and Victor Millercryptographer:
independently invented
a• prominent
(not-to-be-named)
Elliptic Curve Cryptography in 1985 when they
building
cryptosystem
around
the ECDLP.
… suggested
for now trying
to getaan
evaluation of
the security
of an
elliptic-curve
is a
bit like
trying to about
get anthe
• For a long cryptosystem
time, there was
much
scepticism
evaluation
discovered Chaldean poetry.
security of some
ellipticrecently
curve cryptosystems:
HP #2': The Elliptic Curve Discrete
Logarithm Problem as a Hard Problem
Alice’s secret key is again a number e.
Alice’s public key consists of a prime p, an elliptic curve
E, a point P on E mod p, and its multiple
Q ≡ eP (mod p).
Hard Problem: Given E, P, aP (mod p), and bP (mod p),
compute the value of abP (mod p).
Elliptic Curve Discrete Log Problem: Given E, P, and Q,
solve the congruence
xP ≡ Q (mod p).
The fastest known algorithms to solve the ECDLP are
Collision Algorithms. They take about p1/2 steps, so are
much slower than solving DLP or factoring integers.
Elliptic Curves versus RSA
“is” = “as far as we presently know”
Since the ECDLP is so much harder than the IFP
(Integer Factorization Problem), cryptographic
constructions using elliptic curves can get away with
using much smaller numbers.
Bit Security
RSA
ECC
80
1248
160
128
3248
256
256
15424
512
# of bits in keys and ciphertexts
Important Caveat: Security depends on your definition
of the word “is”.
Elliptic Curves versus RSA
Elliptic curve cryptosystems have smaller keys,
smaller ciphertexts, and smaller digital signatures
than RSA.
However, the “addition” formula on elliptic curves is
quite complicated, so ECC and RSA take about the
same amount of time to encrypt and decrypt, and to
sign and verify.
How about if RSA key and message sizes are okay,
but we want faster encryption and decryption? To
achieve this goal, people have devised
cryptosystems based on hard lattice problems.
Lattice-Based Cryptography
What is a Lattice?
A lattice is a regular array of points in space.
We can connect the dots to form parallelograms.
The lattice may be described by giving
basis vectors that span a parallelogram.
What is the Closest Vector Problem?
Suppose that you know a basis for the lattice L.
Suppose that someone gives you a point P.
Q
P
Challenge: Find the lattice point Q that is closest to P.
This is the Closet Vector Problem.
Why Is That A Hard Problem?
I can sense everyone thinking –
“What’s so hard about the Closest Vector Problem?
Just draw the picture and pick out the closest point!”
For lattices in the plane, you’re right, it’s very easy.
It’s not even very hard in dimension 3 , or 4 , or 5.
However, the Closest Vector Problem is very hard in
high dimension, say in dimension 500.
Just kidding. It’s impossible to
draw or visualize a 500
Here is a
dimensional lattice. But it’s
picture of a
easy working with one on a
lattice of
computer. It is just a 500 by
dimension 500
500 array of numbers
Why Use Lattices for Cryptography?
Lattice problems offer the possibility of faster encryption
and decryption algorithms.
Let n be the number of bits in the underlying problem:
 n = # of bits in an RSA modulus pq
 n = # of bits in a prime p for ECC in E(Fp)
 n = (dimension of a lattice L) x (# of bits in a coordinate)
Using various “tricks,” encryption/decryption takes:
O(n2 log n) Steps
O(n log n) Steps
for RSA and ECC.
for lattice-based cryptosystems.
It also seems prudent to have practical cryptosystems
available based on many different hard problems, rather
than relying exclusively on one or two problems.
Some History of Lattice-Based Crypto
Ajtai and Dwork (1995) described a lattice-based public
key cryptosystem having average case-worst case
equivalence. This was a theoretical cryptographic
milestone, but the AD cryptosystem is not practical.
Inspired by the work of Ajtai and Dwork, Goldreich,
Goldwasser, and Halevi (1996) proposed a more
practical lattice-based cryptosystem.
The GGH cryptosystem is fast, but it requires megabytesize public keys to be secure.
At the same time, working independently, Hoffstein
(with Pipher and JS) developed a ring-based
cryptosystem called NTRU that only requires RSAsized keys.
It was later discovered that NTRU could be described in
terms of a special class of lattices and is closely related to
the GGH system.
Key Sizes of Lattice-Based Cryptosystems
In a lattice-based cryptosystem:
The private key is a “good” (quasi-orthogonal) basis Bpri
The public key is a “bad” (randomized) basis Bpub
The GGH construction uses general bases:
V1 = (a11,a12,…,a1n)
So a GGH basis is a list of n2
V2 = (a21,a22,…,a2n)
numbers, where typically n is
…
between 500 and 2000.
Vn = (an1,an2,…,ann)
NTRU solves this problem by using cyclical bases:
V1 = (a1,a2,…,an)
This means that an NTRU
V2 = (a2,a3,…,a1)
basis can be described using
…
only n numbers.
Vn = (an,a1,…,an-1)
No Cost Added Features
No-Cost Added Features
Elliptic curve and lattice-based cryptosystems have
some additional attractive features, beyond their
respective smaller keys and faster encryption.
Pairing-Based Cryptography
Elliptic curve groups have a sort of multiplication called
a bilinear pairing (due to Weil and Tate). The “product”
P*Q of two points is a number mod p.
This allows many interesting constructions, including
for example Identity Based Encryption (Shamir,
Boneh, Franklin) in which Alice can use her email
address as her public key.
No Cost Added Features
Fully Homomorphic Cryptography
Many cryptosystems have the property that
(Encryption of M1) + (Encryption of M2) = (Encryption of M1+M2)
or
(Encryption of M1) * (Encryption of M2) = (Encryption of M1* M2)
but it was a long-standing problem to find a cryptosystem with
both properties.
Such a cryptosystem allows a non-secure computer to run a
program on encrypted input and produce encrypted output
without knowledge of the unencrypted input or output.
Last year Craig Gentry constructed the first fully
homomorphic cryptosystem using ring-based lattices (and
many clever ideas). Although not yet practical, it is a huge
theoretical advance.
No Cost Added Features
Quantum-Resistant Cryptography
A quantum computer is a computer in which the usual 0-1
bits of a digital computer are replaced by quantum states
that take values between 0 and 1 according to some
probability distribution.
In 1994 Peter Shor showed that a quantum computer
could factor numbers in polynomial time, and later
researchers showed the same for the classical and elliptic
discrete logarithm problems.
Lattice-based cryptosystems are said to be “quantum
resistant” because the best known quantum algorithms for
the closest vector problem are still exponential.
MSR Colloquium
December 2, 2009
Joseph Silverman
Brown University & Microsoft Research