Post on 18-Dec-2015
transcript
1
New Lattice Based New Lattice Based Cryptographic ConstructionsCryptographic Constructions
Oded RegevOded Regev
2
• Basis: v1,…,vn vectors in Rn
• The lattice is a1v1+…+anvn for all integer a1,…,an.
• What is the shortest vector u ?
LatticesLattices
v1 v2
0
2v1v1+v2 2v2
2v2-v1
2v2-2v1
3
Lattices – not so easyLattices – not so easy
0
v1
v2
3v1-4v2
4
• Promise: the shortest vector u is shorter by a factor of f(n)
• Algorithm for 2n-unique SVP [LLL82,Schnorr87]
• Believed to be hard for any nc
f(n)-unique-SVP (shortest f(n)-unique-SVP (shortest vector problem)vector problem)
1 f(n)
1 2n
believed hard easy
nc
5
• Geometric objects with rich structure• Early work by Gauss 1801, Hermite 1850,
Minkowski 1896• More recent developments:
– LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]•Factoring rational polynomials•Solving integer programs in a fixed
dimension•Breaking knapsack cryptosystems
– Ajtai’s average case connection [Ajtai96] •Lattice based cryptosystems
HistoryHistory
6
• From which distribution is the following sequence taken?
478, 21, 431, 897, 150, 701, 929, 232
QuestionQuestion
1
1 1000
1000
Uniform?
Or wavy?
Pro
bPro
b
7
The d,γ-wavy DistributionThe d,γ-wavy Distribution
0 R-1
Pro
b
=γ
• Periodization of the normal distribution• R=2^(2n2)• Number of periods is d (usually integer)• Ratio of period to standard dev. is γ• distd : {0,…,R-1} [0,½] is the normalized
distance from the nearest peak
d=7
8
• For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem
to distinguishing between the uniform distribution and the d,γ-wavy
distributions with an integer d<2^(n2)
Main TheoremMain Theorem
9
• For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem
to distinguishing between the uniform
distribution and the d,γ-wavydistributions for a non-negligible fraction of values d in
[2^(n2),2•2^(n^2)]
Average-case TheoremAverage-case Theorem
10
1. Public key encryption scheme2. Collision resistant hash function3. A problem in quantum computation
Applications of Main Applications of Main TheoremTheorem
11
CryptographyCryptography• ‘Standard’ cryptography:
•Usually based on factoring, discrete log, principal ideal problem
•Average case assumption•Mostly broken by quantum computers
• Lattice based cryptography [Ajtai96,…]:•Based on lattice problems•Worst case assumption•Still not broken by quantum computers
12
Application 1Application 1Public Key Encryption (PKE)Public Key Encryption (PKE)
• Consists of private key, public key, encryption and decryption
• The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97]
•Previously, the only lattice based PKE with worst case assumption
•Based on n7-unique Shortest Vector Problem
13
Application 1Application 1Public Key Encryption (PKE)Public Key Encryption (PKE)
• We construct a new lattice based PKE from the average-case theorem:•Very simple description•Improves Ajtai-Dwork to n1.5-unique
Shortest Vector Problem•Uses integer numbers, very efficient
14
Application 2Application 2Collision Resistant Hash Collision Resistant Hash
FunctionFunction• A function f:{0,1}r{0,1}s with r>s such
that it is hard to find collisions, i.e.,xy s.t. f(x)=f(y)
• Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02]
• Our construction is•The first which is not based on Ajtai’s
iterative step•Somewhat stronger (based on n1.5-
uSVP)
15
Application 3 Application 3 Quantum ComputationQuantum Computation
• Quantum computers can break cryptography based on factoring [Shor96]
• Based on the HSP on Abelian groups
• What about lattice based cryptography?
16
• Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02]
• Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]
Application 3 Application 3 Quantum ComputationQuantum Computation
17
• For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem
to distinguishing between the uniform distribution and the d,γ-wavy
distributions with an integer d<2^(n2)
Main TheoremMain Theorem
18
Proof of theProof of the
Main TheoremMain Theorem
19
Proof OutlineProof Outline
n1.5-Unique-SVP
n-dim distributions
Main theorem
decision problem
promise problem
20
Reduction to:Reduction to:Decision ProblemDecision Problem
• Given a n1.5-unique lattice, and a prime p>n1.5
• Assume the shortest vector is:u = a1v1+a2v2+…+anvn
• Decide whether a1 is divisible by p
21
The ReductionThe Reduction• Idea: decrease the coefficients of the
shortest vector
• If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn .
• u is still in the new lattice:u = (a1/p)•pv1 + a2v2 + … + anvn
• The same can be done whenever p|ai for some i
22
The ReductionThe Reduction• But what if p ai for all i ?
• Consider the basis v1,v2-v1,v3,…,vn
• The shortest vector isu = (a1+a2)v1 + a2(v2-v1) + a3v3 + … + anvn
• The first coefficient is a1+a2
• Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2
• One of them is divisible by p, so we choose it and continue
|
23
Proof OutlineProof Outline
n1.5-Unique-SVP
n-dim distributions
Main theorem
decision problem
promise problem
24
Reduction from:Reduction from:Decision ProblemDecision Problem
• Given a n1.5-unique lattice, and a prime p>n1.5
• Assume the shortest vector is:u = a1v1+a2v2+…+anvn
• Decide whether a1 is divisible by p
25
Reduction to:Reduction to:Promise ProblemPromise Problem
• Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all
non-parallel vectors are of length more than n
Case 2. Shortest vector is of length more than n
26
The reductionThe reduction
• Input: a basis (v1,…,vn) of a n1.5 unique lattice
• Scale the lattice so that the shortest vector is of length 1/n
• Replace v1 by pv1. Let M be the resulting lattice
• If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n
• If p a1 then M has shortest vector more than n
|
27
The input lattice LThe input lattice L
0
n
1/nL
u2u
-u
28
The lattice MThe lattice M
0n
1/n
• The lattice M is spanned by pv1,v2,…,vn:
• If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn 2M :
M
u
29
The lattice MThe lattice M
0n
• The lattice M is spanned by pv1,v2,…,vn:
• If p a1, then u M:
M
| 2
pu
-pu
30
Proof OutlineProof Outline
n1.5-Unique-SVP
n-dim distributions
Main theorem
decision problem
promise problem
31
Reduction from:Reduction from:Promise ProblemPromise Problem
• Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all
non-parallel vectors are of length more than n
Case 2. Shortest vector is of length more than n
32
n-dimensional n-dimensional distributionsdistributions
?
Wavy Uniform
• Distinguish between the distributions:
33
• Given a lattice L, the dual lattice is L* = { x | 8y2L, <x,y>2Z }
Dual LatticeDual Lattice
0
1/5
L L*
0
5
34
LL** - the dual of L - the dual of L
0
L
0
n1/n
n
L*
0
n
Case 1
Case 2
35
• Choose a point randomly from L*
• Perturb it by a Gaussian of radius n
ReductionReduction
36
Creating the DistributionCreating the DistributionL*
0
n
L*+ perturb
Case 1
Case 2
37
• Theorem: (using [Banaszczyk’93])The distribution obtained above depends only on the points in L of distance n from the origin(up to an exponentially small error)
• Therefore, Case 1: Determined by multiples of u
wavy on hyperplanes orthogonal to u
Case 2: Determined by the origin uniform
Analyzing the DistributionAnalyzing the Distribution
38
• For a set A in Rn, define:
• Poisson Summation Formula implies:
• Banaszczyk’s theorem:For any lattice L,
Proof of TheoremProof of Theorem
Ax
xeA2
)(
Lx
yxin xeLdLyy })({)()(, ,2*
)(2)( )(n
nn BnLBnL
39
• In Case 2, the distribution obtained is very close to uniform:
• Because:
Proof of Theorem (cont.)Proof of Theorem (cont.)
Lx
yxin xeLdLyy })({)()(, ,2*
)(})({1)(}0{
,2 LdxeLdLx
yxi
}0{}0{
,2 })({})({LxLx
yxi xxe
)(})0{( nBnLL )()( 2)(2 n
nn BnL
40
Proof OutlineProof Outline
n1.5-Unique-SVP
n-dim distributions
Main theorem
decision problem
promise problem
41
n-dimensional n-dimensional distributionsdistributions
?
Wavy Uniform
• Distinguish between the distributions• Given by an oracle that returns points
inside a cube of side length 2n
42
• Distinguish between the distributions:
Main TheoremMain Theorem
0
0 R-1
R-1
Uniform:
Wavy:
43
Reducing to 1-dimensionReducing to 1-dimension• First attempt: sample and project to a line
44
Reducing to 1-dimensionReducing to 1-dimension• But then we lose the wavy structure!• We should project only from points very
close to the line
45
The solutionThe solution
• Use the periodicity of the distribution• Project on a ‘dense line’ :
46
The solutionThe solution
47
The solutionThe solution
• We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1en
where K is large enough
• The distance between hyperplanes is n• The sides are of length 2n
• Therefore, we choose K=2O(n) • Hence, d<O(Kn)=2^(O(n2))
48
DoneDone
n1.5-Unique-SVP
n-dim distributions
Main theorem
decision problem
promise problem
49
From Worst-Case to From Worst-Case to Average-CaseAverage-Case
50
• Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2)
• For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]
Worst-case vs. Average-Worst-case vs. Average-casecase
51
• The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:– Sample a from the distribution– Return either a/2 or (a+R)/2 with probability ½
• In general, for any real 1,we can compress d,γ-wavy into d,γ-wavy
• Notice that compressing preserves the uniform distribution
• We show a reduction from worst-case to average-case
CompressingCompressing
52
• Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)]
• Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following:– Choose in {1,…,2¢2^(n2)} according to a certain
distribution– Compress the distribution by – Check the distinguisher’s acceptance probability
• If for some the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’
ReductionReduction
53
…1
d
2^(n2)…
2¢2^(n2)
• Distribution is uniform:– After compression it is still uniform– Hence, the distinguisher’s acceptance
probability equals that of uniform sequences for all
• Distribution is d,γ-wavy:– After compression it is in the good range with
some probability– Hence, for some , the distinguisher’s
acceptance probability differs from that of uniform sequences
ReductionReduction
54
Application 1Application 1
Public Key Encryption Public Key Encryption SchemeScheme
55
• Let m=2log2R=4n2
• Private key:– A real number y chosen uniformly in
[2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m)
• Public key: – Choose integers A={a1,…,am} from the y,γ-
wavy distribution with γ=n1+ε
• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε
unique-SVP)
PKE – Description PKE – Description
56
• Private key: y
• Public key: A={a1,…,am}
• Encryption:– Bit 0: a number chosen uniformly in {0,…,R-
1}– Bit 1: the sum of a random subset of A mod R
• Decryption of w:– If disty(w)<1/50 then 1 otherwise 0
PKE – Description (cont.)PKE – Description (cont.)
57
• Encryption of the bit 0:– With probability 96%, disty(Sai)>1/50
– These errors can be avoided
• Encryption of the bit 1:– For a subset S, with high probability,
disty(Sai)<1/100
– Using Sai < m¢R,
disty(Sai mod R)<1/50
PKE – CorrectnessPKE – Correctness
58
• Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform
• Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences!
PKE - SecurityPKE - Security
public key {a1,…,am}
uniform {a1,…,am}
Enc(0)~Enc(1)
Enc(0) ? Enc(1)
59
• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε
unique-SVP)• Proof: Follows from the average-case
theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])
PKE – SecurityPKE – Security
60
Application 2Application 2
Collision Resistant Hash Collision Resistant Hash FunctionFunction
61
Collision Resistant Hash Collision Resistant Hash FunctionFunction
• Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then:
b1,…,bm{0,1}, f(b1,…,bm)=Σbiai mod R
• We will see a simpler proof based on n2.5+ε-uSVP
62
Collision Resistant Hash Collision Resistant Hash FunctionFunction
• Assume there exists a collision finding algorithm C
• I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that
Σaici = 0 (mod R)
63
Collision Resistant Hash Collision Resistant Hash FunctionFunction
• We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C
• Choose z uniformly from {0,…,R-1}
• With probability 0.9, distd(z) > 1/20
• Repeat the following enough times:
• Choose a1,…,am from the unknown distribution
• Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m}
• If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’
64
CorrectnessCorrectness• Distribution is uniform:
• a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence
• Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m
• Distribution is d,γ-wavy:
• W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)
• For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2)
• Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0
65
Application 3Application 3
Quantum Computation –Quantum Computation –The Dihedral HSPThe Dihedral HSP
66
Hidden Subgroup ProblemHidden Subgroup Problem
• Given a function that is constant and distinct on cosets of HG, find H
• Solved for Abelian groups• Also for certain non-Abelian groups
[RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…]
• Still open for many groups. In particular:– Symmetric group
– Dihedral group (ZNZ2)
67
Solving Dihedral HSPSolving Dihedral HSP
• Two approaches:
• Ettinger and Høyer ’00– Reduction to “Period finding from
samples”• R ’02, Kuperberg ‘03
– Reduction to average case subset sum
68
Solving Dihedral HSPSolving Dihedral HSP
• Idea of Ettinger and Høyer:– Reduce to “Hidden Translation on ZN”:
Given an oracle that outputs states of the form |xi+|x+di where x is arbitrary and d is fixed, find d
– Take the Fourier transform
– Measure
jeeN
j
NjdiNjxi |)1(1
0
)/(2)/(2
69
Period Finding from Period Finding from SamplesSamples
• Find the period of the following (cos2) distribution by sampling:
• [EH] showed that there is enough information in a polynomial number of samples
• Open question in [EH]: is there an efficient solution to this problem?
0 R-1
70
• Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution
ReductionReduction
71
Guess the period and add noiseGuess the period and add noise
72
• Corollary: finding the period of the cos2 distribution is hard
• Proof: Since all cos2 distributions look like uniform, they all look the same
ReductionReduction
73
• Main theorem• Average case form• Applications
– Strong public key encryption scheme– Collision resistant hash function– Solution to an open question in quantum
computation
• Other applications?
ConclusionConclusion