Cryptography from worst-case complexity assumptions Daniele - PowerPoint PPT Presentation

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France)

Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties

Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties

Point Lattices ● Set of all integer linear combinations of basis vectors B = [b 1 ,...,b n ] ⊂ R n ● L(B)={Bx: x  Z n } ⊂ span(B)={Bx: x  R n } b 1 +3b 2 B b 1 b 2

Successive Minima ● For every n-dimensional lattice L, and i=1,...,n , the i th successive minimum λ i (L) is the smallest radius r such that Ball(0,r) contains i linearly independent lattice vectors λ 1 λ 2

Lattice problems ● Shortest Vector Problems (SVP) – Given a lattice L, find the nonzero lattice vector v closest to the origin (||v|| ≤ γ λ 1 (L)) ● Shortest Independent Vect. Prob. (SIVP) – Given a lattice L, find n lin. independent vectors v 1 ,...,v n of length max i ||v i || ≤ γ λ n (L) ● Approximation factor γ (n) usually a function of the lattice dimension n.

Lattice Reduction Algorithms ● [LLL] solves SVP γ and SIVP γ for γ = 2 O(n) – Still useful in many algorithmic applications ● [Sch,NS] Improve polynomial running time of LLL ● [Sch,AKS] Improve γ = 2 O(n log(n) / log log (n)) ● This talk – Assume no efficient algorithm solves lattice problems substantially better than LLL – Application: design cryptographic functions

Complexity of SVP, SIVP, CVP 2 n n n 100 γ = O(1)  n NP NP coAM / coNP coNP P / RP RP coAM P hard ● NP NP-hard [vEB, Ajt, ABSS, Mic, BS, K] ● coAM, coNP coAM, coNP [GG, AR, GMR] ● P P, RP RP [LLL, Sch, AKS] ● Conjecture: SVP, SIVP are hard for γ =n O(1) – not NP NP-hard, but still hard (e.g., not in P P)

Cryptography by examples (1) Public Key Encryption ● Alice wants to send m to Bob, privately – Bob generates (pk,sk), and publishes pk – Alice retrieves pk, and send E(pk,m) to Bob – Bob uses sk to retrieve m = D(sk,E(pk,m)) m m Adversary Alice: ... Bob: pk Oded: ... Alice E(pk,m) Bob

Cryptography by examples (1) Public Key Encryption ● Alice wants to send m to Bob, privately – Bob generates (pk,sk), and publishes pk ● Security: – Computing m from pk & E(pk,m) is hard with high probability, when pk is randomly chosen ??? m m Adversary Alice: ... Bob: pk Oded: ... Alice E(pk,m) Bob

Cryptography by examples (2) Collision Resistant Hashing ● H(pk,m): No sk! Only pk. {0,1} N H(pk,.) – H(pk, {0,1} N ) = {0,1} n , N>>n {0,1} n ● Security: – finding collisions H(pk,m) = H(pk,m') is hard when pk is chosen at random H(pk,m')=h? Adversary To Bob: m Alice m m' Bob pk, H(pk,m)=h

“Provable security” approach to Cryptography ● Start from a hard computational problem – e.g., factoring large prime product N=pq ● Define a cryptographic function that is somehow related to the hard problem – e.g., modular squaring f(x) = x 2 mod N ● Reduce solving the hard problem to breaking the cryptographic function – If you were able to compute square roots mod N, then you could efficiently factor N

Worst-case vs. Average-case ● Worst-case complexity – A problem can be solved in time T(n) if there is an algorithm with running time T(n) that solves all problems instances of size n – Used in algorithms and complexity: P,NP,etc. ● Average-case complexity – There is an algorithm that solves a large fraction of the instances of size n – Used in cryptography: assume there is no such algorithm

Provable security from average case hardness ● Example: (Rabin) modular squaring – f N (x) = x 2 mod N, where N=pq, ... – Inverting f N is as hard as factoring N ● f N is cryptographically hard to invert, provided most N are hard to factor All N's All f N 's hard f N 's hard N's

Provable security from worst case hardness ● Any fixed L is mapped to random f N ● f N is cryptographically hard to invert if lattice problem L is hard in the worst case hard L easy f N 's hard f N 's All L's

Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Using lattices with special properties – Choosing security parameters

The Subset-sum Problem Subset-sum function f A (x 1 ,...,x m ) = Σ a i x i a 2 a 1 a 3 a i : ring elements a 4 x i : 0/1 a 5 a 6 a 7 b=a 2 +a 4 +a 5 +a 6 +a 8 a 9 a 8 a 10 weights Subset Sum Problem: Given weights A = (a 1 ,...,a m ) and target b, find coefficients x 1 ,...,x m such that f A (x 1 ,...,x m ) = b.

Subset-sum Hash function ● Key: A = [a 1 ,...a m ] where a i is in group G ● Input: x=(x 1 ,...,x m ) where x i =0/1 ● Output f A (x) = Ax = Σ a i x i ● Collisions: – 0/1 vectors x, y such that Ax = Ay – Equiv.: -1/0/1 vector z =(x-y) such that Az=0 ● Parameters: – m > log 2 |G|, e.g., G = Z n /(pZ n ), m =2n log(p)

Lattice based cryptography Lattice problem construction Cryptographic Worst-case hard function f(x) Approximation Attack security proof algorithm ● Proof of security: – Assume can break random function f A (x) – Use attack(A) to solve SIVP on any lattice B ● Main problem – A need to depend on B – A should be uniformly random, given B

Lattice based Hash function (oversimplified version) ● Construction: – Subset-sum over R – Key: random points a 1 ,...,a m in R n – Function: f A (x 1 ,...,x m ) = Σ i a i x i , (x i in {0,1}) – f A : {0,1} m --> R n ● Technical problem – Range R n is infinite, so f A never compresses – We will address this using Z M n instead of R n

Intuition random R n LATTICE noise Every point in R n can be written as the sum a = v + r of a lattice point v and small error vector r

Security proof ● Proof of security: – Generate random key as a i =v i +r i (i=1,...n) – Find a collision f A (x 1 ,...,x m )=f A (y 1 ,...,y m ) – Notice: Σ i a i z i = 0, where z i = x i - y i ● Substituting a i =v i +r i and rearranging: Σ i v i z i = - Σ i r i z i Lattice short vector vector

Technical details ● Issues with oversimplified construction – Cannot pick uniformly random lattice point v i – Range of the function R n is infinite ● Solution – Work “modulo L(B)” – Use fine grid Z n /q instead of R n ● Final result mxn – f A (x) = Ax mod q, where A is in Z q

Adding noise to “all” lattice points ● Reducing a point modulo a lattice x

Adding noise to “all” lattice points ● Reducing a point modulo a lattice x

Adding noise to “all” lattice points ● Reducing a point modulo a lattice x

Error vector modulo the lattice ● Same as adding noise to all lattice points x (x mod B) ● How much noise is needed to get almost uniform distribution modulo B?

Smoothing parameter [MR] O(s n 1/2 ) ● Gaussian ρ s (x) = exp(- π || x/s|| 2 ) ● Smoothing parameter –   (L(B)) = smallest s s.t. ρ 1/s (L(B)* \ {0}) ≤  . ● Properties: – For s =   (L(B)), distribution (s -n ρ s mod B) is within ε /2 distance from uniform over P(B) –   (L(B)) < log(n) λ n (L(B))

Remark: Worst to Average case connection ● The set L = {z in Z m | f A (z)=0} is a lattice ● Collisions: z=x-y in L of norm ||z|| max = 1 ● Security proof: Exact (L max ) SVP Approximate SIVP reduction Random lattice Arbitrary lattice dimension = m >> n dimension = n Worst-case Average-case complexity assumption cryptanalysis

More Crypto from Lattices ● One-way hash functions – [Ajt], [CN], [Mic], [MR] ● Public key encryption – [AD, Reg] public key encryption based on hardness of uSVP ● More efficient constructions – [Mic], [PR], [LM] hash functions with almost linear complexity based on hardness of cyclic lattices

Public Key Encryption ● Public key encryption [AD, Reg] – Requires planting a trapdoor for decryption – Can be done by using lattices where λ 1 << λ 2 ● Unique SVP (uSVP) – Solve SVP on special class of lattices such that λ 1 << λ 2 – Still worst-case assumption, but over smaller class of lattices ● [Rev] PKC from quantum hardness of SVP

Key Size of subset-sum function x 1 x 2 * O(n) bits Σ x i a i a 1 a 2 a m * * * x m m=O(n) Key size = O(n 2 ) {0,1}

Compact knapsacks x 1 * 2n bits Σ x i a i a m a 1 * * x m m = O(1) D, |D|= 2 n Key size = O(n)

Ring choice and security ● Traditional compact knapsacks – a i in Z N , x i in {0,...,M}, e.g. M=2 n and N=2 2n – ILP with few vars: insecure! ● Quotient ring of polynomials: – a i in Z p [X] / q(X), e.g. – x i in {0,...,p d } n ● [Mic] If q(X) = X n –1, as hard to invert as solving SIVP on any cyclic lattice L, i.e. – L closed under [1,2,3,4,5] ----> [2,3,4,5,1]