Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Lattice-Based Cryptography
Cryptographic Hardness Assumptions
Factoring is hard
Discrete Log Problem is hard
Diffie-Hellman problem is hard
Decisional Diffie-Hellman problem is hard
Problems involving Elliptic Curves are hard
Many assumptions
Why Do We Need More Assumptions?
Number theoretic functions are rather slow
Factoring, Discrete Log, Elliptic curves are “of the same flavor”
Quantum computers break all number theoretic assumptions
Lattice-Based Cryptography
Seemingly very different assumptions from factoring, discrete log, elliptic curves
Simple descriptions and implementations
Very parallelizable
Resists quantum attacks (we think)
Security based on worst-case problems
Average-Case Assumptions vs.Worst-Case Assumptions
Example: Want to base a scheme on factoring
Need to generate a “hard-to-factor” N
How?
Need a “hard distribution”
Picking a Hard-to-Factor N
How do you pick a “good” N?Just pick p,q as random large primes and set N=pq?
(1978) Largest prime factors of p-1,q-1 should be large
(1981) p+1 and q+1 should have a large prime factor
(1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors
(1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors
...
Picking a Hard-to-Factor N
Need to know a probability distribution over Z such that picking an N according to it will make N hard to factor
Wishful thinking: There is a distribution D such that factoring in the worst case reduces to factoring numbers chosen according to D
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Approximate Shortest Independent Vector Problem
Find n pretty short linearly independent vectors
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
BDD
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
SIVPquantum
Small Integer Solution Problem
a1
a2
am in Z
qn
Find: non-trivial solution z1,...,z
m in {-1,0,1} such that:
z1
z2
zm
+ + … + = 0
Given: Random vectors a1,...,a
m in Z
qn
Observations:If size of zi is not restricted, then the problem is
trivialImmediately implies a collision-resistant hash function
BDD
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
SIVP
For Any Lattice ...
Consider the distribution obtained by:1. Pick a uniformly random lattice point2. Sample from a Gaussian distribution centered
at the lattice point
One-Dimensional Gaussian Distribution
Two-Dimensional Gaussian Distribution
Image courtesy of wikipedia
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Gaussians on Lattice Points
Image courtesy of Oded Regev
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the
longest vector in SIVP solution
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction
Worst-Case to Average-Case Reduction
0 1 2 021 1 2 0 1
01
2
01
20
12
Important: All lattice points have label (0,0) and
All points labeled (0,0) are lattice points (0n in n dimensional lattices)
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice point
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
All the samples are uniform in Zq
n
0 1 2 021 1 2 0 1
01
2
01
20
12
How to use the SIS oracle to find a short vector in any lattice:Repeat m times:
Pick a random lattice pointGaussian sample a point around the lattice point
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
0 1 2 021 1 2 0 1
01
2
01
20
12
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
= si
= vi
s1z1+...+smzm is a lattice vector
(v1+r1)z1+...+(vm+rm)zm is a lattice vector
(v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice
vectorSo r1z1+...+rmzm is a lattice vector
vi + ri =
si
0 1 2 021 1 2 0 1
01
2
01
20
12
Give the m “Zqn samples” a1,...,am to the SIS oracle
Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +
amzm = 0
= si
= vi
So r1z1+...+rmzm is a lattice vector
ri are short vectors, zi are in {-1,0,1}
So r1z1+...+rmzm is a short lattice vectorvi + ri =
si
Some Technicalities
You can’t sample a “uniformly random” lattice point
In the proofs, we work with Rn / L rather than Rn
So you don't need to sample a random point lattice point
What if r1z1+...+rmzm is 0?
Can show that with high probability it isn't
Given an si, there are multiple possible ri
• Gaussian sampling doesn’t give us points on the grid
You can round to a grid point
Must be careful to bound the “rounding distance”