Introduction to modern lattice-based cryptography · Introduction to modern lattice-based...

Introduction Lattices The SIS problem The LWE problem Cryptanalysis Recent developments Conclusion

Introduction to modern lattice-based

cryptography

Damien Stehle

CNRS/Macquarie University/University of Sydney

Marseille, February 2010

Damien Stehle Introduction to modern lattice-based cryptography 01/02/2010 1/81


Modern lattice-based cryptography

Cryptography: the study of hiding information.

“Lattice-based”: the schemes are described with lattices.

Standard lattice problems provably reduce to attacksagainst those schemes.

Modern: we won’t be interested in GGH and NTRU.More recent schemes offer similar asymptotic performanceand comparable efficiency.
























Why lattice-based cryptography?

(why not factoring or discrete log, as usual?)

LBC provides unmatched security properties: it relies onworst-case hardness assumptions and seems to resistagainst quantum computers.

LBC is asymptotically extremely efficient.

LBC is simple and flexible: this leads to easier design ofcomplicated cryptographic functions.

Diversity fosters cross-pollination.











































Goal of this course

To give an overview of recent developments in lattice-basedcryptography, and a flavour of the techniques/results.

Disclaimer: This is not a practical crypto course.

Contents: Complexity theory, distributions, quantumcomputing, cryptography, structured matrices, algebraicnumber theory, lattices.



Goal of this course






Goal of this course






Plan

1- Background on Euclidean lattices.

2- The SIS problem, or how to hash.

3- The LWE problem, or how to encrypt.

4- Cryptanalysis.

5- More recent developments.



Plan




4- Cryptanalysis.




Background on Euclidean lattices

a- Arbitrary lattices.

b- Ideal lattices.

c- Lattice Gaussians.



(Arbitrary) lattices

Lattice ≡ discrete subgroup of Rn

≡ ∑ xibi : xi ∈ Z

If the bi ’s are linearly independent,they are called a basis.

Hard pbs: short/close vectors.

Lattice minimum:λ(L) = min (‖b‖ : b ∈ L \ 0).



























SVP and SIVP

The Shortest Vector Problem: SVPγ

Given a basis of L, find b ∈ L \ 0 such that:‖b‖ ≤ γ · min(‖c‖ : c ∈ L \ 0).



SVP and SIVP



The Shortest Independent Vectors Problem: SIVPγ

Given a basis of L, find b1, . . . ,bn ∈ L lin. indep. such that:max ‖bi‖ ≤ γ · min(max ‖ci‖ : c1, . . . , cn ∈ L lin. indep.).



SVP and SIVP



The Shortest Independent Vectors Problem: SIVPγ

Given a basis of L, find b1, . . . ,bn ∈ L lin. indep. such that:max ‖bi‖ ≤ γ · min(max ‖ci‖ : c1, . . . , cn ∈ L lin. indep.).

NP-hard when γ = O(1).

In lattice-based crypto: γ = Poly(n) (most often).

Solvable in polynomial time when γ = 2eO(n).



Gram-Schmidt Orthogonalisation

A lattice may have infinitely many bases.

Quality of a basis: measured by the Gram-Schmidt Orth.






b1

b2

b∗2

b3

b∗3

b∗i = argmin‖bi +

∑j<i Rbj‖

Quality measure: maxi ‖b∗i ‖.






b1

b2

b∗2

b3

b∗3


∑j<i Rbj‖

Quality measure: maxi ‖b∗i ‖.



From short vectors to a short basis

Let (bi)i be a basis of a lattice L.

Let (si)i in L be linearly independent with small GSO.

Can we compute a basis of L with small GSO?

Write (si)i = (bi)i · T , with T ∈ Zn×n.

Compute the Hermite Normal Form of T , i.e., T = U ·T ′

with U unimodular and T ′ ∈ Zn×n upper triangular.Let (ci)i = (bi)i · U .

(ci)i is a basis of L and (si)i = (ci)i · T ′.

Therefore max ‖c∗i ‖ ≤ max ‖s∗i ‖.























































Therefore max ‖c∗i ‖ ≤ max ‖s∗i ‖.With a size-reduction, we can get max ‖ci‖ ≤ √

n · max ‖si‖.



Background on lattices


b- Ideal lattices.




Ideal lattices

A lattice L is ideal if:

( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L



Ideal lattices


( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L



Ideal lattices


( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L



Ideal lattices


( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L



Ideal lattices


( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L

A lattice L is ideal if it is an ideal of Z[x ]/(xn + 1).



Ideal lattices


( b0 b1 b2 b3 . . . bn−2 bn−1 ) ∈ L

⇒ ( −bn−1 b0 b1 b2 . . . bn−3 bn−2 ) ∈ L

⇒ ( −bn−2 −bn−1 b0 b1 . . . bn−4 bn−3 ) ∈ L

⇒ ( −bn−3 −bn−2 −bn−1 b0 . . . bn−5 bn−4 ) ∈ L

A lattice L is ideal if it is an ideal of Z[x ]/(xn + 1).

Easy property: all minima of an ideal lattice are equal.

λk(L) = min(r : dim span(L ∩ B(r)) ≥ k).



How special are ideal lattices?

Advantages

The negacyclic structure allows one to save space.Warning: an ideal lattice may have no negacyclic basis.

We can multiply vectors together.

Fast polynomial arithmetic.




Advantages




Drawbacks

NP-hardness results not valid anymore.

Decisional SVP becomes easier (algebraic number theory).




Advantages




Drawbacks

NP-hardness results not valid anymore.

Decisional SVP becomes easier (algebraic number theory).

But no known computational advantage for Id-SVP/Id-SIVP.



Ideal lattices and algebraic number theory

Let ζ be a primitive (2n)-th root of unityand K = Q(ζ) ≈ Q[x ]/(xn + 1).

K is a cyclotomic number field with n canonicalembeddings σi : K → C.

For x ∈ K : T2(x)2 :=∑ |σi(x)|2 and N x :=

∏ |σi(x)|.The ring of integers OK of K is the set of algebraicintegers belonging to K . Here, it is Z[x ]/(xn + 1).

An ideal lattice L is an ideal of Z[x ]/(xn + 1) and thus anintegral ideal of K , i.e., an ideal of K contained in OK .We define N (L) = [L : OK ] = det(L).



































Approximating Id-SVP is easy

The coefficient norm (in Z[x ]/(xn + 1)) is a scaling offactor

√n of the T2-norm.

For any x ∈ K , we have (N x)2/n ≤ T2(x)2/n.

For any x ∈ L, we have (x) ⊆ L, andthus N x = N (x) ≥ N (L). This gives:

√n · N (L)1/n ≤

√n · N (x)1/n ≤ T2(x).

Let s ∈ L reaching λ(L). Minkowski’s theorem gives:

T2(s) ≤√

n · volT2(L)1/n ≤ n · N (L)1/n.

Overall, we know λ(L) up to a factor√

n.








√n · N (L)1/n ≤

√n · N (x)1/n ≤ T2(x).


T2(s) ≤√

n · volT2(L)1/n ≤ n · N (L)1/n.


n.








√n · N (L)1/n ≤

√n · N (x)1/n ≤ T2(x).


T2(s) ≤√

n · volT2(L)1/n ≤ n · N (L)1/n.


n.








√n · N (L)1/n ≤

√n · N (x)1/n ≤ T2(x).


T2(s) ≤√

n · volT2(L)1/n ≤ n · N (L)1/n.


n.








√n · N (L)1/n ≤

√n · N (x)1/n ≤ T2(x).


T2(s) ≤√

n · volT2(L)1/n ≤ n · N (L)1/n.


n.



Background on lattices


b- Ideal lattices.




A handy distribution: the discrete Gaussian




For b ∈ Rn and c ∈ Rn:

ρσ,c(b) := e−π‖b−c‖2

σ2 .

σ is the standard deviation.




For b ∈ Rn and c ∈ Rn:

ρσ,c(b) := e−π‖b−c‖2

σ2 .

σ is the standard deviation.

For L ⊆ Rn and c ∈ Rn: ρσ,c(L) =∑

b∈L ρσ,c(b) is finite.Discrete n-dimensional Gaussian:

∀b ∈ L : DL,σ,c(b) =ρσ,c(b)

ρσ,c(L).



The Poisson Summation Formula (PSF)

Dual lattice:

If L ⊆ Rn is full rank, its dual is

L =b : ∀b ∈ L, 〈b,b〉 ∈ Z

.

If B ∈ Rn×n is a basis of L, then B−T is a basis of L.




Dual lattice:


L =b : ∀b ∈ L, 〈b,b〉 ∈ Z

.


Poisson summation formula for n-dimensional Gaussians(derived from Fourier analysis):

ρσ,c(L) = det(L) · σn ·∑

b ∈ L

[ρ1/σ(b) · exp(−2πi〈b, c〉)

].




Dual lattice:


L =b : ∀b ∈ L, 〈b,b〉 ∈ Z

.


Poisson summation formula for n-dimensional Gaussians(derived from Fourier analysis):

ρσ,c(L) = det(L) · σn ·∑

b ∈ L

[ρ1/σ(b) · exp(−2πi〈b, c〉)

].

Consequence: ∀σ ≥ 1 : ρσ(L \ B(0, σ√

n)) ≤ 2−n+1ρσ(L).Damien Stehle Introduction to modern lattice-based cryptography 01/02/2010 19/81


The smoothing parameter

Define ηε(L) as the smallest σ such that ρ1/σ(L \ 0) ≤ ε.

If σ ≥ ηε(L), then ρσ,c(L) is quasi-constant.

ρσ,c(L) ∈[(1 − ε) · det(L) · σn, (1 + ε) · det(L) · σn

].

If (bi)i is a basis of L, we have:

ηε(L) ≤ max ‖b∗i ‖ ·

√log(3n/ε).







].



√log(3n/ε).







].



√log(3n/ε).







].



√log(3n/ε).

Typically, we will use ε = 2−n.



Proof that η2−n+2(L) ≤ √n · max ‖b∗

i ‖

First: η2−n+2(L) ≤ √n/λ(L).

ρ1/σ(L \ 0) = ρ(σL \ B(0,√

n)) ≤ 2−n+1ρ(σL) ≤ 2−n+2.

Second: 1/λ(L) ≤ max ‖b∗i ‖.

Recall that B ′ = B−T is a basis of L. We have:

λ(L) ≥ min ‖b′∗i ‖ and

1

min ‖b′∗i ‖

= max ‖b∗i ‖.




i ‖


ρ1/σ(L \ 0) = ρ(σL \ B(0,√

n)) ≤ 2−n+1ρ(σL) ≤ 2−n+2.




1

min ‖b′∗i ‖

= max ‖b∗i ‖.




i ‖


ρ1/σ(L \ 0) = ρ(σL \ B(0,√

n)) ≤ 2−n+1ρ(σL) ≤ 2−n+2.




1

min ‖b′∗i ‖

= max ‖b∗i ‖.




i ‖


ρ1/σ(L \ 0) = ρ(σL \ B(0,√

n)) ≤ 2−n+1ρ(σL) ≤ 2−n+2.




1

min ‖b′∗i ‖

= max ‖b∗i ‖.



Sampling according to DL,σ

Input: A basis (bi)i of L, σ.Output: b ∈ L.

1 b := 0. For i from n to 1, do

2 σi := σ/‖b∗i ‖, ci := −〈b,b∗

i 〉/‖b∗i ‖2;

3 Sample zi from DZ,σi ,ci;

4 b := b + zibi .

5 Return b.




Input: A basis (bi)i of L, σ.Output: b ∈ L.

1 b := 0. For i from n to 1, do

2 σi := σ/‖b∗i ‖, ci := −〈b,b∗

i 〉/‖b∗i ‖2;

3 Sample zi from DZ,σi ,ci;

4 b := b + zibi .

5 Return b.

This is a randomized version of Babai/size-reduction.The 1-dim discrete Gaussian sample can be obtained byrejection from a continuous Gaussian.It can be easily modified to sample according to DL,σ,c.




Using the GSO, we have that the probability ofreturning b =

∑(−ci + zi)b

∗i is:

∏DZ,σi ,ci

(zi) =∏ ρσi ,ci

(zi)

ρσi ,ci(Z)

= ρσ(b) ·∏

ρ−1σi ,ci

(Z).





∑(−ci + zi)b

∗i is:

∏DZ,σi ,ci

(zi) =∏ ρσi ,ci

(zi)

ρσi ,ci(Z)

= ρσ(b) ·∏

ρ−1σi ,ci

(Z).

If σ ≥ √n · max ‖b∗

i ‖, each σi is ≥ ηε(Z). Thus:

Pr[b] ∈(

ρσ(b) ·∏

i

ρ−1σi

(Z)

)·[

1

(1 + ε)n,

1

(1 − ε)n

].





∑(−ci + zi)b

∗i is:

∏DZ,σi ,ci

(zi) =∏ ρσi ,ci

(zi)

ρσi ,ci(Z)

= ρσ(b) ·∏

ρ−1σi ,ci

(Z).

If σ ≥ √n · max ‖b∗

i ‖, each σi is ≥ ηε(Z). Thus:

Pr[b] ∈(

ρσ(b) ·∏

i

ρ−1σi

(Z)

)·[

1

(1 + ε)n,

1

(1 − ε)n

].

The statistical distance between DL,σ and the outputdistribution is exponentially small:

∑

b∈L

|Pr[b] − DL,σ(b)| = 2−Ω(n).



Plan




4- Cryptanalysis.




The SIS problem

a- Non structured SIS.

b- Structured SIS.

c- A trapdoor for SIS.



SISβ,q,m [Ajtai’96]

The Small Integer Solution Problem

Given a uniform A ∈ Zmn×nq , find s ∈ Zmn \ 0 such that:

‖s‖ ≤ β and sA = 0 mod q.







s 0

A

=n

mn

(n log n)

[q]

(P(n))







s 0

A

=n

mn

(n log n)

[q]

(P(n))

Many interpretations:

Small codeword problem.

Short lattice vector problem:A⊥ = s ∈ Zmn : sA = 0 [q].



Cryptographic application of SIS

Hash: an efficiently computable function H : D 7→ Rwith |R| ≪ |D| is collision resistant if finding x 6= x ′ in Dsuch that H(x) = H(x ′) is computationnally hard.

Applications: message integrity, password verification, fileidentification, digital signature, etc.

SIS-based hash: s ∈ 0, 1mn 7→ sA [q].

By linearity, SIS reduces to finding a collision.

Compression ratio: mnn log q

= mlog q

.



Cryptographic application of SIS

Hash: an efficiently computable function H : D 7→ Rwith |R| ≪ |D| is collision resistant if finding x 6= x ′ in Dsuch that H(x) = H(x ′) is computationnally hard.

Applications: message integrity, password verification, fileidentification, digital signature, etc.

SIS-based hash: s ∈ 0, 1mn 7→ sA [q].

By linearity, SIS reduces to finding a collision.

Compression ratio: mnn log q

= mlog q

.



How hard is SIS? A unique level of security.

Worst-case to average-case reduction

Any efficient SIS algorithm succeeding with non-negligibleprobability leads to an efficient SIVP algorithm.




Worst-case to average-case reduction (γ ≈ nβ)







Intuition:

Start with a short basis of the lattice L ⊆ Zn.

Sample mn short random lattice points.

Look at their coordinates wrt the basis, modulo q.

A SIS solution provides a shorter vector of L.

Repeat to get a basis shorter than the initial one.

Repeat to get shorter and shorter bases of L.






Intuition:












Intuition:












Intuition:












Intuition:












Intuition:












Intuition:









The DL,σ sampler provides valid SIS inputs

Suppose we start with a basis (bi) suchthat max ‖bi‖ = B .

Use the DL,σ sampler with σ =√

nB . The output isexponentially close to DL,σ. Let (ci) be the samples.

With high probability: ∀i : ‖ci‖ ≤ √nσ = nB .

Are their coordinates wrt the bi ’s uniform mod q?

Yes, because DL,σ mod qL is (quasi)-uniform.

DqL,σ,c is (quasi)-independent of c ∈ L (PSF),when σ ≥ ηε(qL) = q · ηε(L).





















































Shortness of the output vectors

We start with a basis (bi) with max ‖bi‖ = B .

The ci ’s satisfy: ∀i : ‖ci‖ ≤ nB . Let xi be theircoordinates vectors, reduced mod q.

The oracle finds s ∈ Zmn with∑

sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q

∑sici : c ∈ L and ‖c‖ ≤ βn2B

q.

If q is large enough, we obtain a shorter lattice vector.

By analyzing the lattice Gaussian further, one can provethat by iterating, with high probability we can find a fullrank set of short lattice vectors.

We can convert the latter into a short basis.







sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q


q.










sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q


q.










sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q


q.










sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q


q.










sixi = 0 [q]and 0 < ‖s‖ ≤ β.

Consider c = 1q


q.






The SIS problem


b- Structured SIS.




Id-SIS, graphicallys

A

mn rows⇒

s1 s2 sm. . .

m blocks ...

Each block is negacyclic.

The ith row is: x i · a(x) mod xn + 1.

Structured matrices ≡ polynomials ≡ fast algorithms.



Ideal SIS, algebraically

SIS



Id-SIS

Given uniform a1, . . . , am ∈ Zq[x ]/(xn + 1),find s1, . . . , sm ∈ Z[x ]/(xn + 1) not all 0 such that:

‖s‖ ≤ β and∑

siai = 0 mod (q, xn + 1).



Ideal SIS, algebraically

Id-SIS

Given uniform a1, . . . , am ∈ Zq[x ]/(xn + 1),find s1, . . . , sm ∈ Z[x ]/(xn + 1) not all 0 such that:

‖s‖ ≤ β and∑

siai = 0 mod (q, xn + 1).

Worst-case to average-case reduction

Any efficient Id-SIS algorithm succeeding with non-negligibleprobability leads to an efficient Id-SIVP algorithm.



Efficient hashing

SIS hash: s ∈ 0, 1mn 7→ sA [q].

Id-SIS hash: s1, . . . , sm ∈ 0, 1[x ] of degrees < n aremapped to

∑si(x)ai(x) [q, xn + 1].

If 2n|q − 1, then xn + 1 splits completely mod q.⇒ Fast Discrete Fourier Transform mod q.

Storage: O(n2) → O(n); complexity: O(n2) → O(n).



Efficient hashing



∑si(x)ai(x) [q, xn + 1].





Efficient hashing



∑si(x)ai(x) [q, xn + 1].





Efficient hashing



∑si(x)ai(x) [q, xn + 1].



This is SWIFFT and it was proposed to the SHA-3 contest.With n = 26, m = 24, q ≈ 28: ≈ 213 bits to store A.



The SIS problem


b- Structured SIS.




A uniform A with a good basis for A⊥

If m = Ω(log q) then we can efficiently sample A ∈ Zmn×nq

and TA such that

The statistical distance from A to uniform is 2−Ω(n).

The rows of TA are small: max ‖t∗i ‖ = O(√

n log q).

TA ∈ Zmn×mn is a basis of A⊥.





and TA such that



n log q).


TA 0A =

(small)





and TA such that



n log q).


TA 0A =

(small)

Principle:

Assume (ai)i≤k are iid uniform.

Take (xi)i iid uniform in −1, 0, 1.Then ak+1 =

∑i≤k xiai is close to

uniform.



A trapdoor for SIS

Suppose we know u ∈ Znq, A and TA. How do we find a

small s ∈ Zmn such that sA = u [q]?

With linear algebra, find c ∈ Zmn such that cA = u [q].

It suffices to find a vector b of A⊥ that is close to c:‖c − b‖ is small and (c − b)A = u [q].

Use the sampler from DL,σ,c with:

σ =√

n · max ‖t∗i ‖ = O(n√

log q).

We have ‖c − b‖ ≤ σ√

n = O(n1.5√

log q) withprobability ≥ 1 − 2−Ω(n).

And we do not leak any information about the trapdoor.



A trapdoor for SIS






σ =√

n · max ‖t∗i ‖ = O(n√

log q).


n = O(n1.5√





A trapdoor for SIS






σ =√

n · max ‖t∗i ‖ = O(n√

log q).


n = O(n1.5√





A trapdoor for SIS






σ =√

n · max ‖t∗i ‖ = O(n√

log q).


n = O(n1.5√





A trapdoor for SIS






σ =√

n · max ‖t∗i ‖ = O(n√

log q).


n = O(n1.5√





Cryptographic application: hash-and-sign

Signature: to ensure the authenticity of a document.

Signer’s public key: A; private key: TA.

To sign M , use the trapdoor to find s shortwith sA = H(M), where H is a public random oracle.

To verify (M , s), see whether sA = H(M) and ‖s‖ small.

Can be made at least as hard to break as to solve SIS, inthe random oracle model.



















A trapdoor for Id-SIS

If m = Ω(n log q) and xn + 1 has O(1) factors mod q, then wecan efficiently sample a1, . . . , am ∈ Zq[x ]/(xn + 1)and TA ∈ (Z[x ]/(xn + 1))m×m such that

The statistical distance from a to uniform is 2−Ω(n).

The rows of rot(TA) are small: max ‖t∗i ‖ = O(√

n log q).

TA ∈ Zmn×mn is a basis of a full-rank sublattice of A⊥.



A trapdoor for Id-SIS

If m = Ω(n log q) and xn + 1 has O(1) factors mod q, then wecan efficiently sample a1, . . . , am ∈ Zq[x ]/(xn + 1)and TA ∈ (Z[x ]/(xn + 1))m×m such that

The statistical distance from a to uniform is 2−Ω(n).

The rows of rot(TA) are small: max ‖t∗i ‖ = O(√

n log q).

TA ∈ Zmn×mn is a basis of a full-rank sublattice of A⊥.

TA 0A

=

(small)



Comparison with SIS’ trapdoor

Drawbacks (wrt SIS):

There are non-trivial ideals in Zq[x ]/(xn + 1).

A⊥ has a structure of OK -module: a full pseudo-basisof A⊥ could be obtained from TA using theCohen-Bosma-Pohst HNF for Dedekind domains.







Advantages:

Compact trapdoor: (mn)2 log q bits → m2n log q bits.

Verifying the signature is faster.

But there exists a more efficient Id-SIS-based signatureanyway [Lyubashevsky’09].







Advantages:

Compact trapdoor: (mn)2 log q bits → m2n log q bits.

Verifying the signature is faster.

But there exists a more efficient Id-SIS-based signatureanyway [Lyubashevsky’09].



Plan




4- Cryptanalysis.




The LWE problem

a- Non structured LWE.

b- Structured LWE.

c- Encrypting with LWE.



LWEα,q,m [Regev’05]

The Learning With Errors Problem

Take A uniform in Zmn×nq , s uniform in Zn

q and e sampledfrom Nmn

αq . Given A and As + e [q], find s.








s eA+

n

mn

uniform uniform small








s eA+

n

mn

uniform uniform small

Many interpretations:

Given many 〈ai , s〉 + ei , find s.

Resembles LPN (over Z2).

Resembles Subset-Sum [LPS’09].

Closest codeword problem.

Lattice problem . . .



LWE as a lattice problem












Let LA = b ∈ Zmn : ∃x ∈ Znq,b = Ax [q].









LA is an (mn)-dimensional lattice and LA = 1qA⊥.

BDDα,q (bounded distance decoding): Take A uniformin Zmn×n

q , take b ∈ LA arbitrary and e sampledfrom Nmn

αq ; given b + e, find b.

If we can solve LWE then we can solve BDD.





























LWE as a one-way function

OWF: easy to evaluate and hard to invert.

LWE’s one-way function: s ∈ Znq 7→ As + e [q].

Expansion: n log q bits 7→ mn log q bits.







A one-way function with trapdoor.

Generate A together with TA.

TA · (As + e) = TAe [q].

TA and e are small: we have TAe over Z.We recover e and then s by linear algebra.

Sufficient condition:

q

2>

√nαq · max ‖ti‖ ⇐ n1.5α

√log q = o(1).









TA · (As + e) = TAe [q].



q

2>


√log q = o(1).









TA · (As + e) = TAe [q].



q

2>


√log q = o(1).









TA · (As + e) = TAe [q].



q

2>


√log q = o(1).



How hard is LWE?

Quantum worst-case to average-case reduction

Any efficient LWE algorithm succeeding with non-negligibleprobability leads to an efficient quantum SIVP algorithm.



How hard is LWE?

Quantum worst-case to average-case reduction (γ ≈ n/α)




How hard is LWE?

Quantum worst-case to average-case reduction (γ ≈ n/α)


Efficient quantum computers make LWE more secure!

[Peikert’09] de-quantumized the reduction, with larger q

or unusual variant of SIVP.

[SSTX’09]: simpler (but weaker) quantum reduction.



How hard is BDDα,q? Rough intuition.

L −→ L

Fourier transform



How hard is BDDα,q? Rough intuition.

L −→ L

Fourier transform

The Fourier transform of the distribution is implementedwith the quantum Fourier transform.

The input quantum state is built with the LWE oracle.

The measurement gives a small SIS solution.



More formally

If D is a distribution over a finite domain D that can besampled efficiently (classically), then the quantumstate

∑x∈D

√D(x) |x〉 can be built efficiently.

When a state∑

x∈D√

D(x) |x〉 is measured, then x0 ∈ Dis returned with probability D(x).

Apart from measurements, only invertible (unitary)operations can be applied to states.

We want to build the state∑

e∈Rn,b∈L

ραq(e) |b + e〉 .



More formally

If D is a distribution over a finite domain D that can besampled efficiently (classically), then the quantumstate

∑x∈D

√D(x) |x〉 can be built efficiently.

When a state∑

x∈D√

D(x) |x〉 is measured, then x0 ∈ Dis returned with probability D(x).

Apart from measurements, only invertible (unitary)operations can be applied to states.

We want to build the state∑

e∈Rn,b∈L

ραq(e) |b + e〉 .



More details, but still informal

L is infinite ⇒ we work modulo L.

Rn is infinite ⇒ we work in a very fine grid L/R .

Gaussians vanish quickly ⇒ we neglict their tails.



















1 We build∑

e∈L/R,‖e‖≤αq√

n ραq(e) |e〉 |e〉.2 We reduce mod L:

∑ραq(e) |e mod L〉 |e〉.

3 We use the BDD oracle:∑

ραq(e) |e mod L〉 |0〉.4 Applying the quantum Fourier transform and measuring

provides a sample from DcLA,1/(αq), i.e., DA⊥,1/α.







1 We build∑













1 We build∑







Additional difficulty: the oracle may solve LWE withprobability ≪ 1. Use the trace distance.



The LWE problem


b- Structured LWE.




Ideal LWE [SSTX’09]

Id-LWE: Take a block negacylic LWE matrix (as for Id-SIS).

Any efficient Id-LWE algo. succeeding with non-negligibleprobability leads to an efficient quantum Id-SIVP algo.



Ideal LWE [SSTX’09]

Id-LWE: Take a block negacylic LWE matrix (as for Id-SIS).

Any efficient Id-LWE algo. succeeding with non-negligibleprobability leads to an efficient quantum Id-SIVP algo.

Polynomial interpretation:Let a1, . . . , am ∈ Zq[x ]/(xn + 1) be the polynomialscorresponding to the block matrix. Then A · s corresponds to:

(ai(x) · s(x) mod (q, xn + 1))i≤m,

where a(x) = a0 −∑

1≤k<n an−kxk .



A faster trapdoor one-way function

Evaluation cost: O(n2) ⇒ O(n) bit operations.

For the inversion, use the structured TA from Id-SIS.

TA · (As + e) = TAe over the integers. Multiply by T−1A

to recover e, and then s.

Evaluation/inversion cost: O(n2) ⇒ O(n) bit operations.

Less practical than Id-SIS hash, because we cannot take q

such that xn + 1 splits completely mod q.

































The LWE problem


b- Structured LWE.




Decisional-LWE

Computational-LWE




Decisional-LWE



αq . Distinguish between the distributions(A, As + e [q]) and uniform over Zmn×n

q × Zmnq .



Decisional-LWE

Computational-LWE




Decisional-LWE




q × Zmnq .

Regev proved that Dec-LWE is at least as hard as Comp-LWE.



Decisional-LWE

Computational-LWE




Decisional-LWE




q × Zmnq .

Regev proved that Dec-LWE is at least as hard as Comp-LWE.

The adaptation to Id-LWE is not known to hold.



Encrypting with LWE

s e

e′ + ⌊q

2⌋ · M

A

A′

+



Encrypting with LWE

s e

e′ + ⌊q

2⌋ · M

A

A′

+

Public key: A ∈ Zmn×nq , A′ ∈ Zn×n

q ; private key: TA.

Encrypting M ∈ 0, 1n: generate s ∈ Znq, e ∈ Zmn

q

and e′ ∈ Znq; compute [As + e; A′s + e′ + ⌊q

2⌋ · M].

Decryption: recover s from the first part of theciphertext, using TA; compute A′s to obtain e′ + ⌊q

2⌋M;

round to the closest multiple of ⌊q

2⌋ to recover M.



Encrypting with LWE

s e

e′ + ⌊q

2⌋ · M

A

A′

+

Public key: A ∈ Zmn×nq , A′ ∈ Zn×n

q ; private key: TA.Encrypting M ∈ 0, 1n: generate s ∈ Zn

q, e ∈ Zmnq

and e′ ∈ Znq; compute [As + e; A′s + e′ + ⌊q

2⌋ · M].

Decryption: recover s from the first part of theciphertext, using TA; compute A′s to obtain e′ + ⌊q

2⌋M;

round to the closest multiple of ⌊q

2⌋ to recover M.

A CPA attack would lead to an algorithm for Decisional-LWE.Damien Stehle Introduction to modern lattice-based cryptography 01/02/2010 55/81


Encrypting with Id-LWE

We cannot use the decisional variant of Id-LWE.

But we have a trapdoor one-way function which is atleast as hard to invert as solving Computational-Id-LWE.




We cannot use the decisional variant of Id-LWE.

But we have a trapdoor one-way function which is atleast as hard to invert as solving Computational-Id-LWE.

There is a generic transformation from trapdoor OWF toCPA-secure encryption scheme (Goldreich-Levin).

Encryption: evaluate the OWF with a random s; let ρ bethe used random bits, seen as a vector in Zℓ

2; multiply ρwith a random public Toeplitz matrix over Z2; use theoutput vector to mask the message M .

Decryption: use the trapdoor to recover s; apply theToeplitz matrix to recover M .















Encryption/decryption of Ω(n) bits in time O(n).

CPA-secure if Id-SVPO(n2) is hard for sub-exponentialquantum algorithms.

But impractical because of the generic transformation.



Plan




4- Cryptanalysis.




Attacking SIS/Id-SIS/LWE/Id-LWE

The only known attack consists in finding a smallvector/basis of the lattice A⊥ = s ∈ Zmn : sA = 0 [q].Generalized birthday attack: may be feasible if m is large.Its cost is easily determined [MR’09].

Lattice reduction: may be applied to a subset of the rows(trade-off between approximation factor and existence ofshort vectors).
















But... although quite old (Lagrange, Gauss, Hermite,Minkowski, etc)... lattice reduction is not so well understood.



Lattice reduction

Principle: start from an arbitrary basis of the lattice, andprogressively improve it.




Lattice reduction



b1

b2

b∗2

b3

b∗3


∑j<i Rbj‖

Quality measure: (‖b∗i ‖)i=1..n.

Why?

The slower the ‖b∗i ‖’s decrease,

the more orthogonal.

Their product is constant.

If they decrease slowly,then b1 must be small.



Lattice reduction



b1

b2

b∗2

b3

b∗3


∑j<i Rbj‖


Why?







Lattice reduction



b1

b2

b∗2

b3

b∗3


∑j<i Rbj‖


Why?







BKZ: a trade-off between LLL and HKZ

LLL HKZ

log ‖b∗i ‖log ‖b∗

i ‖

ii




LLL HKZtoo weak too costly


i ‖

ii






i ‖

ii

[Schnorr’87]: use HKZ within smaller-dimensional blocks.

BKZ is the best practical variant [SE’94].

Best theoretical variant: [GN’08].






i ‖

ii

[Schnorr’87]: use HKZ within smaller-dimensional blocks.

BKZ is the best practical variant [SE’94].

Best theoretical variant: [GN’08].

BKZ10 BKZ20 BKZ30


i ‖log ‖b∗i ‖

iii



Schnorr’s hierarchy

Theoretical rule of the thumb for block-size k :Cost Poly(n) · 2k and SVP approximation factor nn/k .

Seems satisfied by BKZ for small block-sizes.

But the cost unexpectedly blows up with block-size ≈ 30.



Schnorr’s hierarchy

Theoretical rule of the thumb for block-size k :Cost Poly(n) · 2k and SVP approximation factor nn/k .

Seems satisfied by BKZ for small block-sizes.

But the cost unexpectedly blows up with block-size ≈ 30.

Warnings

The runtime of BKZ is not polynomial in the block-size.

BKZ is the only implemented/available variant ofSchnorr’s hierarchy.



Solving SVP: see workshop session

It is not known yet how far we can solve SVP.





[KFP’83] is the best deterministic algorithm.

Cost: time nn/(2e), space Poly(n) [HS’07].

Tree pruning, parallelisation, hardware implementation(in progress).





[KFP’83] is the best deterministic algorithm.

Cost: time nn/(2e), space Poly(n) [HS’07].

Tree pruning, parallelisation, hardware implementation(in progress).

[AKS’01] is the best probabilistic algorithm.

Cost: time 23.2n, space 21.3n [MV’09].

Fresh new result: time 22.5n and space 21.2n [PS’09].

Heuristically: time 20.4n and space 20.2n [MV’09].



Plan




4- Cryptanalysis.




More recent developments

a- Identity-based encryption.

b- Fully homomorphic encryption.



(H)-IBE

Identity-based encryption: encryption scheme for whichthe public key of a user is uniquely determined by itsidentity; the user’s private key is computed by a trustedauthority, using a master private key. No need for a publickey distribution infrastructure.

Given as an open problem in 1984, by Shamir.

First realization by Boneh and Franklin in 2001, usingbilinear pairings on elliptic curves.



(H)-IBE

Identity-based encryption: encryption scheme for whichthe public key of a user is uniquely determined by itsidentity; the user’s private key is computed by a trustedauthority, using a master private key. No need for a publickey distribution infrastructure.

Given as an open problem in 1984, by Shamir.

First realization by Boneh and Franklin in 2001, usingbilinear pairings on elliptic curves.

Hierarchical identity-based encryption: same as IBE, buteach entity in level k of a hierarchy can generate theprivate keys of all entities of lower levels in the hierarchy.



HIBE using LWE

Encode an identity id as a string of bits of length ≤ k .

An identity id is higher in the hierarchy than anidentity id ′ if id is a prefix of id ′.

The master has identity .



HIBE using LWE

Encode an identity id as a string of bits of length ≤ k .

An identity id is higher in the hierarchy than anidentity id ′ if id is a prefix of id ′.

The master has identity .

Sample A ∈ Zmn×nq together with a trapdoor TA (a short

basis for A⊥). These are the master’s keys.

Generate (A01, A

11), . . . , (A

0k , A

1k) iid uniformly in Zmn×n

q .

User id = i1 . . . iℓ has public key Aid , the verticalconcatenation of A, Ai1

1 , . . . , Aiℓℓ .

The private key of user id is a short basis of A⊥id .

The encryption scheme is the LWE encryption scheme.



Private key extraction

Suppose id is a prefix of id ′. How does user id extract aprivate key for user id ′ from his/her own private key?

How to obtain a TAidfrom a TAid′

?

Writing the new rows as combinations of the previousones suffices to obtain a basis of A⊥

id ′ with small GSO.




Suppose id is a prefix of id ′. How does user id extract aprivate key for user id ′ from his/her own private key?

How to obtain a TAidfrom a TAid′

?






Suppose id is a prefix of id ′. How does user id extract aprivate key for user id ′ from his/her own private key?How to obtain a TAid

from a TAid′?



ATA 0

A′ = UA

=

⇒

ATA

0

00

A′−U Id

=



Private key randomization

But now id ′ knows the private key of id !

id has to randomize the private key of id ′ to hide its own.

Use the previous basis of A⊥id ′ with small GSO to sample

from DA⊥id′

,σ for a small σ.

With sufficiently many samples, we obtain a full rank setof short vectors in A⊥

id ′ .

Convert it into a short basis.

The output distribution is independent of the initial basis.







from DA⊥id′

,σ for a small σ.


id ′ .









from DA⊥id′

,σ for a small σ.


id ′ .









from DA⊥id′

,σ for a small σ.


id ′ .





Concluding on IBE

We have an HIBE that is secure under worst-case latticeassumptions, for selective identity CPA attacks..

This leads to adaptative identity CPA secure HIBE,CCA2-secure encryption, etc.

Similar techniques lead to signatures that are secure inthe standard model (without the random oracle).



Concluding on IBE

We have an HIBE that is secure under worst-case latticeassumptions, for selective identity CPA attacks..

This leads to adaptative identity CPA secure HIBE,CCA2-secure encryption, etc.

Similar techniques lead to signatures that are secure inthe standard model (without the random oracle).

Open problems

Improving the efficiency.

The SVP approximation factor increases quickly with thenumber of levels in the hierarchy: γ = nO(k). Can weavoid this?



Recent developments

a- Identity-based encryption.

b- Fully homomorphic encryption.



Homomorphic encryption

Given C1 = E(M1) and C2 = E(M2), can wecompute E(f (M1, M2)) for some f , without decrypting?

E.g., for ElGamal: gm1 · gm2 = gm1+m2 .

An encryption scheme is fully homomorphic if anyfunction (given as a circuit) of any number of Mi ’s can beevaluated in the ciphertext domain:

∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).

The bit-size of the output of g must be independent ofthe circuit size of f .







∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).








∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).








∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).








∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).





Given C1 = E(M1) and C2 = E(M2), can wecompute E(f (M1, M2)) for some f , without decrypting?E.g., for ElGamal: gm1 · gm2 = gm1+m2 .An encryption scheme is fully homomorphic if anyfunction (given as a circuit) of any number of Mi ’s can beevaluated in the ciphertext domain:

∀k ,∀f ,∃g : D[g(E(M1), . . . , E(Mk))] = f (M1, . . . , Mk).


Many applications:Use untrusted parties to run programs (cloud computing).Search over private data (PIR), etc.



The ’holy grail’ of cryptography

The question was first asked by Rivest, Adleman andDertouzous in 1978.

Solved by Craig Gentry in 2009, using ideal lattices.











IBM announcement (25/06/09): An IBM Researcher has solved a

thorny mathematical problem that has confounded scientists

since the invention of public-key encryption several

decades ago. The breakthrough, called "privacy

homomorphism," or "fully homomorphic encryption," makes

possible the deep and unlimited analysis of encrypted

information [...] without sacrificing confidentiality.



A somewhat homomorphic scheme

Sample a good basis B skJ of an ideal lattice J of “large”

determinant, i.e., large minimum, large successiveminima, large covering radius, etc.

Let BpkJ be the HNF of B sk

J .

To encrypt M ∈ 0, 1[x ], take a small randomr ∈ Z[x ]/(xn + 1) and output C = M + 2r mod B

pkJ .

To decrypt: if C is within distance ≪ λ(J) of J , thenBabai’s rounding-off algorithm finds M + 2r:

C − B skJ ⌊(B sk

J )−1C⌉ ⇒ M + 2r.







J .


pkJ .



J )−1C⌉ ⇒ M + 2r.







J .


pkJ .



J )−1C⌉ ⇒ M + 2r.







J .


pkJ .



J )−1C⌉ ⇒ M + 2r.



Correctness and security

Correctness. We must have

rEnc := maxM,r

‖M + 2r‖ < rBabai ,BskJ(J) =: rDec(J).

Security: BDD must be hard to solve without B skJ .

With lattice reduction, in time ≈ 2k we can solve thisBDD if rEnc ≤ 2n/k · rDec . Gentry takes rDec ≈ 2

√n · rEnc .





rEnc := maxM,r




√n · rEnc .





rEnc := maxM,r




√n · rEnc .





rEnc := maxM,r




√n · rEnc .

If J and B skJ are chosen according to a well specified efficiently

samplable distribution, if M ∈ 0, 1 and if r is sampled fromsome discrete Gaussian, then the latter scheme can be madeCPA-secure under the assumption that Id-SVPγ is hard tosolve for quantum polynomial-time algorithms, for some γ thatgrows faster than any polynomial in n.






√n · rEnc .

If J and B skJ are chosen according to a well specified efficiently

samplable distribution, if M ∈ 0, 1 and if r is sampled fromsome discrete Gaussian, then the latter scheme can be madeCPA-secure under the assumption that Id-SVPγ is hard tosolve for quantum polynomial-time algorithms, for some γ thatgrows faster than any polynomial in n.

This is a dimension-preserving worst-case to average-casereduction, but much weaker than the Id-SIS/Id-LWE ones.



Why is it homomorphic?


pkJ .

Addition: Ci = Mi + 2ri mod BpkJ implies

C1 + C2 = (M1 + M2) + 2(r1 + r2) mod BpkJ .

Multiplication (we have polynomials):

C1×C2 = (M1×M2)+2(r1×M2+r2×M1+2r1×r2) mod BpkJ .





pkJ .


C1 + C2 = (M1 + M2) + 2(r1 + r2) mod BpkJ .







pkJ .


C1 + C2 = (M1 + M2) + 2(r1 + r2) mod BpkJ .





Why is it only “somewhat” homomorphic?




The more operations are applied the further away from J .





dist(C1 + C2, J) ≤ dist(C1, J) + dist(C2, J).

dist(C1 × C2, J) ≤ K · dist(C1, J) · dist(C2, J).





dist(C1 + C2, J) ≤ dist(C1, J) + dist(C2, J).

dist(C1 × C2, J) ≤ K · dist(C1, J) · dist(C2, J).

E.g.: If we have t ciphertexts to multiply, then K t · r tEnc may

become larger than rDec .



Making the scheme fully homormophic

If many operations have been applied, we try to “refresh”the ciphertext.

We cannot decrypt using the private key.

Trick: encode C = E(M, Jpk1 ) further using a second

public key, and decode homomorphically using theencryption of the first private key.

D(E(C, Jpk

2 ), E(J sk1 , Jpk

2 ))

= E(D(C, J sk

1 ), Jpk2

).

Refreshing as many times as required, we can apply anycircuit privately.








D(E(C, Jpk

2 ), E(J sk1 , Jpk

2 ))

= E(D(C, J sk

1 ), Jpk2

).









D(E(C, Jpk

2 ), E(J sk1 , Jpk

2 ))

= E(D(C, J sk

1 ), Jpk2

).









D(E(C, Jpk

2 ), E(J sk1 , Jpk

2 ))

= E(D(C, J sk

1 ), Jpk2

).









D(E(C, Jpk

2 ), E(J sk1 , Jpk

2 ))

= E(D(C, J sk

1 ), Jpk2

).




The decryption circuit

Problem: Is the decryption circuit simple enough so thatit can be itself be applied without refreshing?

Decryption: C − B skJ ⌊(B sk

J )−1C⌉ provides M + 2r.

B skJ ⌊(B sk

J )−1C⌉ seems too complicated.

We need to “squash” the decryption circuit.







B skJ ⌊(B sk









B skJ ⌊(B sk









B skJ ⌊(B sk



Outline of Gentry’s solution:

There exists vskJ with: ∀C : B sk

J ⌊(B skJ )−1C⌉ = ⌊vsk

J C⌉.Generate random public vi ’s with a secret sparse subset S

which sums to vskJ :

∑i∈S vi = vsk

J .

The viC’s can be computed, and then the decryptionreduces to summing up the few correct ones.







B skJ ⌊(B sk








∑i∈S vi = vsk

J .








B skJ ⌊(B sk








∑i∈S vi = vsk

J .








B skJ ⌊(B sk








∑i∈S vi = vsk

J .




Plan




4- Cryptanalysis.




Conclusion

The schemes are becoming more and more efficient, inparticular thanks to structured matrices / ideal lattices.

Lattice reduction is improving.

But still not many schemes are implemented.

Lattice reduction can probably still be improved much.

Mainly one library used for crytanalysis (Shoup’s NTL),and it is known to behave oddly [GN’08].



Conclusion








Conclusion








Conclusion








Open problems

Can we adapt (some of) the techniques to linear codes?

Can quantum computers improve lattice algorithms?

Can we use lattice algorithms to factor integers orcompute discrete logarithms?

Are ideal lattices weaker than general lattices?

Assess the practical limits of lattice reduction.



Open problems








Open problems








Open problems








Open problems








Open problems







Date post:	03-Jun-2020
Category:	Documents
Upload:	others
View:	21 times
Download:	0 times

Introduction to modern lattice-based cryptography · Introduction to modern lattice-based...

Documents