Lattices & Factoring - IACR

Lattices & FactoringInvited Talk

Leo Ducas

CWI, Amsterdam, The Netherlands

PKC, May 10th, 2021

Leo Ducas (CWI) Lattices & Factoring

Modern Cryptography, This Old Thing

Cryptography is getting old.

Cryptography has reached a non-negligible age.Let’s write our history before it gets lost.



Cryptography is getting old.Cryptography has reached a non-negligible age.

Let’s write our history before it gets lost.



Cryptography is getting old.Cryptography has reached a non-negligible age.Let’s write our history before it gets lost.


Knapsack-based Cryptography

Typical narrative on Knapsack-based cryptography

An embarrassement to forgetAjtai single-handedly put an end to that dark Era

I do not subscribe to that narrative.If I have seen further,

it is by standing on the shoulders of Giants.– Isaac Newton

Ajtai is a Giant of Lattice-based Cryptography.Let’s enjoy the the view he had from the shoulders his own Giants.





I do not subscribe to that narrative.

If I have seen further,it is by standing on the shoulders of Giants.

– Isaac Newton






I do not subscribe to that narrative.If I have seen further,

it is by standing on the shoulders of Giants.– Isaac Newton



Today’s Giants

Factoring with Lattices Short VectorsC-P. Schnorr L. Adleman

Decoding Lattices by FactorizationB. Chor R. Rivest


Today’s Giants

Factoring with Lattices Short VectorsC-P. Schnorr L. Adleman

Decoding Lattices by FactorizationB. Chor R. Rivest


Part I:Factoring with Lattice Short Vectors


Factoring: the Quadratic Sieve [Pomerance, 1981]

Notation : ≡ for congruence modulo N

Goal: Find a non-trivial1 solution to X 2 ≡ Y 2

⇒ (X − Y )(X + Y ) ≡ 0⇒ gcd(X ± Y ,N) is a non-trivial factor of N

A two-steps process:Collect RelationsLinear Algebra

1X 6≡ ±Y mod NLeo Ducas (CWI) Lattices & Factoring

Factoring: the Quadratic Sieve [Pomerance, 1981]

Notation : ≡ for congruence modulo N

Goal: Find a non-trivial1 solution to X 2 ≡ Y 2

⇒ (X − Y )(X + Y ) ≡ 0⇒ gcd(X ± Y ,N) is a non-trivial factor of N

A two-steps process:Collect RelationsLinear Algebra

1X 6≡ ±Y mod NLeo Ducas (CWI) Lattices & Factoring

Step 1: Relation Collection

Define a factor basis: F = {p|p is primes, p ≤ B}Repeat:

Pick random X , compute Z = X 2 mod NUse trial division to write Z =

∏pei

i (pi ∈ F)If successful, store the relation X 2 ≡

∏pei

i

Until B relations are collected

The complexity trade-off

Increasing B improves the success probability of each trialBut more relations are neededThe optimum is at B = exp(O(

√log N)) = LN(1/2)


Step 1: Relation Collection

Define a factor basis: F = {p|p is primes, p ≤ B}Repeat:

Pick random X , compute Z = X 2 mod NUse trial division to write Z =

∏pei

i (pi ∈ F)If successful, store the relation X 2 ≡

∏pei

i

Until B relations are collected

The complexity trade-off

Increasing B improves the success probability of each trialBut more relations are neededThe optimum is at B = exp(O(

√log N)) = LN(1/2)


Step 2: Linear Algebra

We have collected relations:

X 21 ≡ p1

e1,1 p2e1,2 p3

e1,3 · · ·X 2

2 ≡ p1e2,1 p2

e2,2 p3e2,3 · · ·

X 23 ≡ p1

e3,1 p2e3,2 p3

e3,3 · · ·...

......

...... . . .

Combine the above to make all exponents even integers

Done by solving a linear system over F2

Obtain a solution to

X 2 ≡ Y 2 mod N




X 21 ≡ p1

e1,1 p2e1,2 p3

e1,3 · · ·X 2

2 ≡ p1e2,1 p2

e2,2 p3e2,3 · · ·

X 23 ≡ p1

e3,1 p2e3,2 p3

e3,3 · · ·...

......

...... . . .

Combine the above to make all exponents even integersDone by solving a linear system over F2


X 2 ≡ Y 2 mod N




X 21 ≡ p1

e1,1 p2e1,2 p3

e1,3 · · ·X 2

2 ≡ p1e2,1 p2

e2,2 p3e2,3 · · ·

X 23 ≡ p1

e3,1 p2e3,2 p3

e3,3 · · ·...

......

...... . . .

Combine the above to make all exponents even integersDone by solving a linear system over F2


X 2 ≡ Y 2 mod N


Optimizing Relation Collection

X 2 mod N is as large as N for random XMaking it smaller would improve the success of trial division

Could we aim for X 2 mod N that are significantly smaller ?

Choose X ≈√

N, so that X 2 ≈ NIf X =

√N + ε, with ε�

√N, then:

X 2 ≡ 2ε√

N + ε2

The complexity gainImproves the hidden constant in exp(O(

√log N)) = LN(1/2)





Choose X ≈√



√N, then:

X 2 ≡ 2ε√

N + ε2


√log N)) = LN(1/2)





Choose X ≈√



√N, then:

X 2 ≡ 2ε√

N + ε2


√log N)) = LN(1/2)


Aiming Better [Schnorr 1991]

A RelaxationThe left-hand-side needs not be square, B-smooth can do as well:

p1e′

1p2e′

2p3e′

3 · · · ≡ p1e1p2

e2p3e3 · · ·

1 ≡ p1e1−e′

1p2e2−e′

2p3e3−e′

3 · · ·

Our New GoalFind positive exponents (e′1, e′2, e′3, . . .) such that

p1e′

1p2e′

2p3e′

3 · · · ≈ N

This is an (approximate) knapsack problem !

e′1 ln p1 + e′2 ln p2 + e′3 ln p3 + · · · ≈ ln N


Aiming Better [Schnorr 1991]

A RelaxationThe left-hand-side needs not be square, B-smooth can do as well:

p1e′

1p2e′

2p3e′

3 · · · ≡ p1e1p2

e2p3e3 · · ·

1 ≡ p1e1−e′

1p2e2−e′

2p3e3−e′

3 · · ·

Our New GoalFind positive exponents (e′1, e′2, e′3, . . .) such that

p1e′

1p2e′

2p3e′

3 · · · ≈ N

This is an (approximate) knapsack problem !

e′1 ln p1 + e′2 ln p2 + e′3 ln p3 + · · · ≈ ln N


Aiming with lattices [Schnorr 1991]

Choose a constant C to rewrite the knapsack as a lattice CVP

ln p1ln p2

ln p3. . .

ln pnC ln p1 C ln p2 C ln p3 · · · C ln pn

·

e′

1e′

2e′

3...

e′n

≈

000...0

C ln N

Knapsack 6= CVPThe lattice solution (e′1, e′2, e′3, . . .) may not have positive exponents

But that might be OK !

u/v ≈ N ⇒ u ≈ vN, therefore S = u − vN may be smallQuality degrades as v =

∏e′

i <0 p−eii gets larger


Aiming with lattices [Schnorr 1991]

Choose a constant C to rewrite the knapsack as a lattice CVP

ln p1ln p2

ln p3. . .

ln pnC ln p1 C ln p2 C ln p3 · · · C ln pn

·

e′

1e′

2e′

3...

e′n

≈

000...0

C ln N

Knapsack 6= CVPThe lattice solution (e′1, e′2, e′3, . . .) may not have positive exponents

But that might be OK !

u/v ≈ N ⇒ u ≈ vN, therefore S = u − vN may be smallQuality degrades as v =

∏e′

i <0 p−eii gets larger


Attempting Average-Case Analysis

Lattice Pitfalls

The lattice is not full dimensional apply due projectionsGaussian Heuristic seems invalid for certain CThe `2 norm is a bit inadequate `1 more relevantNaive predictions of `2/`1 can also fail

Trial Division Pitfall

B-Smoothness probability of S = u − vN lower than expected

pi |u ∨ pi |v ⇒ pi 6 |S

Mind the Variants

Most papers force B = pn or B = 1. Here: B unconstrained.The diagonal part of the lattice may vary as well.


Experiments

10 20 30 40 50 600

0.2

0.4

0.6

0.8

1

Lattice dimension n

logS

/lo

gN

N: 50 bitsN: 100 bitsN: 200 bitsN: 400 bitsQS baseline

The size of S roughly dictates the cost of the non-lattice stepsFor factoring a 100-bits N, to beat QS at the non-lattice steps, weshould need a lattice dimension of at least n ≥ 50.


Experiments

10 20 30 40 50 600

0.2

0.4

0.6

0.8

1

Lattice dimension n

logS

/lo

gN

N: 50 bitsN: 100 bitsN: 200 bitsN: 400 bitsQS baseline

The size of S roughly dictates the cost of the non-lattice stepsFor factoring a 100-bits N, to beat QS at the non-lattice steps, weshould need a lattice dimension of at least n ≥ 50.


My two Cents

It’s a deep and brilliant idea . . . that doesn’t seem to work /A solid complexity analysis is still missing

and appears quite challenging . . .It nevertheless found applications beyond factoring

An attempt at proving SVP ≥ Factoring [Adleman 1995]A sucessful proof of NP-hardness for SVP [Ajtai 1998]Idea reused for in relation to the abc-conjecture [Bright 2014]Idea reused in a Module-LLL Algorithm [LPSW 2019]


My two Cents

It’s a deep and brilliant idea . . . that doesn’t seem to work /A solid complexity analysis is still missing

and appears quite challenging . . .It nevertheless found applications beyond factoring

An attempt at proving SVP ≥ Factoring [Adleman 1995]A sucessful proof of NP-hardness for SVP [Ajtai 1998]Idea reused for in relation to the abc-conjecture [Bright 2014]Idea reused in a Module-LLL Algorithm [LPSW 2019]


A Surprising Twist [Ajtai 1998]

Recall the gap between Knapsack and SVP

Knapsack solutions ∈ {0, 1}n, SVP solution Zn

Knapsack was known to be NP-hard, but not SVP

The key Insight

{0, 1}n solutions in Schnorr-Adleman lattice are incorrespondence with smooth and square-free integersWe know how to count those !

A proof that SVP ≥ Knapsack

Therefore SVP is NP-hardLearn more from Daniele’s talk next week at the RISC seminar






The key Insight









The key Insight





Part II:Decoding Lattices by Factorization


Dense Lattice with Efficient Decoding

In this whole section we work with the `1 norm !

Bounded Distance Decoding with radius r

Given t = v + e where v ∈ L and ‖e‖ ≤ rRecover v and e

Unique solution guaranteed for r ≤ λ1(L)/2.

Minkowsky’s bound

λ1(L)det(L)1/n ≤ O(n)

We want a lattice and decoding alg. close to this bound.


Chor-Rivest Cryptosystem and Friends

The Key Idea [Chor Rivest 1988]

Subset-sums is hardSubset-product is easy (trial divisions)Take logarithm, disguise the later as the former, get crypto.

Variants/Follow-ups [Lenstra ’90, Li Ling Xing Yeo ’17].Originally over Fp[X ]; variants over Z:

[Naccache Stern ’97, Okamoto Tanaka Uchiyama ’00].

A Coding Gem Hidden Inside

[Brier et al. ’15]: Remove crypto from [NS’97], hides a gooddecodable binary code.[D. Pierrot ’18]: [CR88, OTU00], hides a good decodable lattice.


















Chor-Rivest Lattice (over the integers)Choose a modulus M = 3k

And a factor basis F = {2, 5, 7, 11, 13, . . . , pn}B := pn ∼ n ln n

Define the morphism ψ : Zn → (Z/MZ)∗:ψ : x 7→

∏pxi

i mod MAnd finally define the kernel lattice

L := kerψ ={

v ∈ Zn |∏

pvii = 1 mod M

}.

The lattice can be computed efficiently !

Discrete logarithms modulo M = 3k is easyRewrites as a subset-sum lattice

L ={

v ∈ Zn |∑

vi dlog pi = 0 mod ϕ(M)}


Chor-Rivest Lattice (over the integers)Choose a modulus M = 3k

And a factor basis F = {2, 5, 7, 11, 13, . . . , pn}B := pn ∼ n ln n

Define the morphism ψ : Zn → (Z/MZ)∗:ψ : x 7→

∏pxi

i mod MAnd finally define the kernel lattice

L := kerψ ={

v ∈ Zn |∏

pvii = 1 mod M

}.

The lattice can be computed efficiently !

Discrete logarithms modulo M = 3k is easyRewrites as a subset-sum lattice

L ={

v ∈ Zn |∑

vi dlog pi = 0 mod ϕ(M)}


Lattice Parameters

Lattice parameters

dimL = ndetL ≤ ϕ(M) ≤ M

Claim: λ1(L) ≥ log M/ log B (Not exactly true . . . )

Recall that L = {v ∈ Zn |∏

pvii = 1 mod M}.

For v 6= 0 to be in L,∏

pvii must wrap around mod M

In particular B‖v‖1 ≥ M (This proof is a bit bogus !)

Instantiate with k = n, i.e. M = 3n

λ1(L)det(L)1/n ≥ O

( nlog n

)That is only O(log n) factor away from Minkowsky bound.


Lattice Parameters

Lattice parameters

dimL = ndetL ≤ ϕ(M) ≤ M

Claim: λ1(L) ≥ log M/ log B (Not exactly true . . . )

Recall that L = {v ∈ Zn |∏

pvii = 1 mod M}.

For v 6= 0 to be in L,∏

pvii must wrap around mod M

In particular B‖v‖1 ≥ M (This proof is a bit bogus !)

Instantiate with k = n, i.e. M = 3n

λ1(L)det(L)1/n ≥ O

( nlog n

)That is only O(log n) factor away from Minkowsky bound.


Decoding Chor-Rivest Lattice

Bounded Distance Decoding with radius r = log M/ log B


Compute

f =∏

ptii mod M =

∏pvi

i∏

peii mod M

=∏

peii mod M

Note∏

peii ≤ Br ≤ M: we know it over Z not just modM

Factorize it by trial division: recover e


Decoding Chor-Rivest Lattice

Bounded Distance Decoding with radius r = log M/ log B


Compute

f =∏

ptii mod M =

∏pvi

i∏

peii mod M

=∏

peii mod M

Note∏

peii ≤ Br ≤ M: we know it over Z not just modM

Factorize it by trial division: recover e


Dealing with Negative Errors

Now assume 2 · Br <√

M.

f =n∏

ei >0pei

i ·∏ei <0

peii = u/v mod M.

Lemma (Recovering u, v given f and M)

Let u, v ,M be coprime s.t. u, v <√

M/2, and let f = u/v mod M.Then, ±(u, v) are the shortest vectors of the 2-dimensional lattice

L = {(x , y) ∈ Z2|x − fy = 0 mod M}.

In particular, given f and M, one can recover (u, v) in poly-time.


The last mile ?

We are still O(log n) away from Minkowsky’s bound...The issue is that we do not have enough small primes.To get down to O(1) away from Minkowsky’s bound, we need

n primes of ‘size’ O(1).

Switching back from Z to Fp[X ] doesn’t improve asymptoticsElliptic curves could ?And what about Mordell-Weil lattices ? [Shioda ’91, Elkies ’94]

A Recent ResultUsing a completely different approach (construction D lattice overBCH codes), we are now O(

√log n) away from Minkowsky’s bound

[Mook Peikert 2020]


The last mile ?

We are still O(log n) away from Minkowsky’s bound...The issue is that we do not have enough small primes.To get down to O(1) away from Minkowsky’s bound, we need

n primes of ‘size’ O(1).

Switching back from Z to Fp[X ] doesn’t improve asymptoticsElliptic curves could ?And what about Mordell-Weil lattices ? [Shioda ’91, Elkies ’94]

A Recent ResultUsing a completely different approach (construction D lattice overBCH codes), we are now O(

√log n) away from Minkowsky’s bound

[Mook Peikert 2020]


Why Cryptographers Should Care

Chor-Rivest Knapsack Cryptosystem is not Broken

And offers very short ciphertexts !The underlying assumption is intriguing, especially quantumly

Some kind of reverse of discrete logarithm problem

Chor-Rivest Decoding can be practical [Li Ling Xing Yeo 2017]

Better decoding in a pure LWE-based scheme ?

And for Something Completely Different [Galbraith Li 2020]

VBB Obfuscation of ”near-equality” tests !


Part III:A Critique of Research in

Lattice-Based Cryptography


The SIS/LWE Monoculture2

Due creditsSIS/LWE formalism have achieved impressive feats, and thefoundational work from TCS experts was exceptionally thorough.

But . . .

Worst-case hardness is not a silver bulletand does not dispense us from cryptanalysis

We have locked ourselves in subspace of designsand current designs likely far from optimal

Some very interesting ideas have been buriedif not demoted to cryptographic sins

2Not a critique of the contributions, but of what we have done of them.Leo Ducas (CWI) Lattices & Factoring

The SIS/LWE Monoculture2

Due creditsSIS/LWE formalism have achieved impressive feats, and thefoundational work from TCS experts was exceptionally thorough.

But . . .

Worst-case hardness is not a silver bulletand does not dispense us from cryptanalysis

We have locked ourselves in subspace of designsand current designs likely far from optimal

Some very interesting ideas have been buriedif not demoted to cryptographic sins

2Not a critique of the contributions, but of what we have done of them.Leo Ducas (CWI) Lattices & Factoring

A Diversity of Lattices

Zn, the Saddest of all LatticesAll algorithmic tasks (encode, decode, sample) in lattice-basedcryptography are reduced to Z or Zn.Yet, geometrically (packing, covering, . . . ) Zn is the worst lattice.

There are so many more !Root lattices3 , Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .

http://www.math.rwth-aachen.de/˜Gabriele.Nebe/LATTICES/

3If you ever deal with prime cyclotomics rings, please readhttps://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf


http://www.math.rwth-aachen.de/~Gabriele.Nebe/LATTICES/

https://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf



There are so many more !Root lattices3

, Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .








There are so many more !Root lattices3 , Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .






Cryptography Strives in Diversity !

Lattice-based Cryptography needs:More diversity of BackgroundsMore diversity of Point of ViewMore diversity of GoalsMore diversity of People !

Thank You !


Cryptography Strives in Diversity !

Lattice-based Cryptography needs:More diversity of BackgroundsMore diversity of Point of ViewMore diversity of GoalsMore diversity of People !

Thank You !


Date post:	16-Oct-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Lattices & Factoring - IACR

Documents