FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33
Plan for this lecture How to construct lattice-based encryption schemes? (continued) Security of LWE: How to choose parameters for a given security level? Efficiency Considerations: How to make lattice-based crypto. practical Multibit encryption : Reducing ciphertext expansion Structured Lattices (Ring-LWE): Reducing key length and computation time Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 2/33
Security of Learning with Errors (LWE) Problem Why do we believe LWE is hard? Theoretical Reason: Analogue of Ajtai’s average-case to worst-case connection Theorem for SIS can also be established for LWE (Regev 2005 [Reg05]): Theorem If there is an algorithm A that solves Decision-LWE q ( n ) , m ( n ) , n ,α ( n ) in poly-time, with non-negligible distinguishing advantage , for α ( n ) · q ( n ) > 2 √ n Then there is a quantum algorithm B that solves γ ( n ) -GapSVP in polynomial time for all input lattices L of dimension n with: γ = � O ( n /α ) . γ ( n )-GapSVP is a decision variant of γ ( n )-SVP that asks, given a basis B for an n -dim. lattice L and an integer d , to decide whether λ 1 ( L ) ≤ d , or λ 1 ( L ) > γ ( n ) · d . More recent improvements to this result allow B to be a classical algorithm if either q > 2 n / 2 [Pei09], or the dimension of the lattice input to B is √ n [B13]. We won’t study this proof, but it gives us a theoretical foundation for security of LWE. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 3/33
Learning with Errors (LWE) Problem - Practical Security Why do we believe LWE is hard? Practical Reason: In most cases, essentially best known attack on Decision LWE is a reduction of LWE to SIS. Given an LWE instance ( A ∈ Z m × n y ∈ Z m ,� q ): q v in SIS lattice L ⊥ q ( A T ) with Find a short non-zero vector � v � ≤ β (i.e. solve β -SIS for A T ). � � Note that A T · � v T · A = � 0 T mod q . v = � 0 mod q , or � Compute e ′ = � v T · � y mod q . e ): e ′ = � v T · � In ‘Real LWE Scenario’ ( � y = A · � s + � e mod q . Since � e and � v are both ‘small’, so is v , e ′ is normally distributed with std. dev. � � e ′ : for fixed � v � · α q , so is ‘small’ if � v · α q << q , or β = � � v � << 1 /α. q ): e ′ = � v T · � y uniform in Z m In ‘Random LWE Scenario’ ( � e mod q is uniformly random in Z q , not likely to be ‘small’ compared to q If | e ′ | < q / 4, Return ‘REAL LWE’, else return ‘Random LWE’. Conclusion: Solving Decision LWE q , m , n ,α reduces to solving SIS q , m , n ,β ≈ 1 /α . Choose parameters so that SIS q , m , n ,β ≈ 1 /α is hard! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 4/33
Learning with Errors (LWE) Problem - Practical Security The condition α q > 2 √ n from Regev’s security reduction is important to security (in general)! LWE insecure when α q ≈ 1 and m is sufficiently large ( ≥ m 2 )!! Idea: Algebraic attacks! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 5/33
Efficiency Considerations in Lattice-Based Crypto. Recall Regev’s public-key encryption scheme [Reg05]: ֓ U ( Z m × n Public key pk = ( A ← ,� p = A · � s + � e mod q ) with q ֓ χ m � e ← α q . Length( pk ): = m · ( n + 1) log q ≥ n 2 log q bits — at least quadratic in sec. par λ : O ( λ 2 )!! s ∈ Z n Secret key � q . Encryption – Enc ( m ∈ Z t ): Return ciphertext a T = � r T · A mod q , c = � r T · � C = ( � p + ⌈ q / t ⌋ · m mod q ). Ciphertext expansion ratio: = Length ( C ) Length ( m ) = ( n +1) · log q – at log t least linear in sec. par. λ : n + 1 = O ( λ )!!. Encryption time: O ( mn log q ) bit ops. – at least quadratic in λ : O ( λ 2 )!! a T , c )): Compute Decryption – Dec ( C = ( � c ′ = c − � a T · � s mod q , round to nearest multiple of ⌈ q / t ⌋ � c ′′ mod q to get c ′′ . Return plaintext m = ⌈ q / t ⌋ . Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 6/33
Efficiency Considerations: Ciphertext Expansion Reducing ciphertext expansion ratio in Regev encryption a T component of ciphertext encodes only enc. Observe: The � randomness, not message bits. Idea ([PVW08]): ‘Reuse’ this randomness with new secrets � s i : Modified Regev Scheme ( ℓ = number of secret key vectors): ֓ U ( Z m × n ֓ χ m Public key pk = ( A ← , P = ( � p 1 , . . . ,� p ℓ ) where � p i = A · � s i + � e i mod q ) with � e i ← α q . q Length( pk ): = m · ( n + ℓ ) · log q – ≈ (1 + ℓ/ n )-times larger than orig. scheme ( ℓ = 1). s ℓ ) ∈ Z n × ℓ Secret key S = ( � s 1 , . . . ,� – ℓ times longer but not in practical storage! q m ∈ Z ℓ Encryption – Enc ( � t ): Return ciphertext a T = � r T · A mod q ,� c T = � r T · P + ⌈ q / t ⌋ · � C = ( � m mod q ). Ciphertext expansion ratio: Length ( C ) m ) = ( n + ℓ ) · log q ℓ ) · log q = (1 + n Length ( � ℓ log t log t If q = t O (1) , expansion ratio = O (1) for ℓ ≥ n ! Encryption time: O ( m ( n + ℓ ) log q ) bit ops – ≈ (1 + ℓ/ n )-times larger than orig. scheme ( ℓ = 1). a T ,� c T )): Compute ( � c ′ ) T = � c T − � a T · S mod q , round to nearest multiple of Decryption – Dec ( C = ( � c ′′ � ⌈ q / t ⌋ mod q to get c ′′ . Return plaintext � m = ⌈ q / t ⌋ . Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 7/33
Efficiency Considerations: Ciphertext Expansion a T still as secure as LWE? Q: But, why is reusing � A: Security reduction from LWE – example of ‘hybrid argument’. Suppose there was an efficient IND-CPA attack algorithm B, breaking 2 λ security of Regev’s encryption scheme: B runs in time T B and wins IND-CPA game with prob. 1 / 2 + ε B (with T B < 2 λ and non-neg. ε B > 1 / 2 λ ). Then, we construct ℓ Dec-LWE algorithms, D 1 , . . . , D ℓ such that at least one D i advantage ≥ ε B − 1 / 2 λ +1 ≥ 1 / 2 λ +1+log ℓ . ℓ Given Dec-LWE instance ( q , n , A ,� y ), D i does following: D i runs attacker B on input public key ( A , P = ( � p 1 , . . . ,� p ℓ )), where ֓ U ( Z n ֓ χ m For j = 1 , . . . , i − 1, D i sets � p j = A · � s j + � e j mod q , where � s j ← q ) and � e j ← α q are sampled independently by D i . For j = i , D i sets � p i = � y . ֓ U ( Z m For j = i + 1 , . . . , ℓ , D i samples independent � p i ← q ). When B makes its challenge query ( � m 0 , � m 1 ), D i behaves like the real challenger: chooses a random bit b , ֓ U ( {− B r , . . . , B r } m ) and computes: picks coefficient vector � r ← a T = � r T · A ,� c T = � r T · P + ⌈ q / t ⌋ · � � m b mod q . a T , c ). D i returns challenge ciphertext ( � When B returns a guess b ′ for b , D returns ‘Real’ if b ′ = b , and ‘Rand’ if b ′ � = b . Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 8/33
Efficiency Considerations: Ciphertext Expansion a T security reduction (cont.): Consider two LWE ‘Reusing’ � scenarios for � y as input to D i : ‘Real’ LWE scenario, � p i = � y = A · � s + � e mod q – first i vectors � p 1 , . . . ,� p i in public key are computed exactly as in the real IND-CPA game, remaining ℓ − i vectors � p i +1 , . . . ,� p ℓ are random. Call this distribution of P (first i � p j ’s ‘real’, last ℓ − i � p j ’s ‘random’) the i th ‘hybrid’ distribution. Define the winning probability of B for i th ‘hybrid’ distribution of P as p i = 1 / 2 + ε i , hence D i returns ‘Real’ with prob. 1 / 2 + ε i . Note two extreme values of p j are known: p 0 ≤ 1 / 2 + 1 / 2 λ +1 (all � p j ’s uniformly random) by LHL argument (as before), except the LHL condition becomes (2 B r + 1) m >> q n + ℓ . p ℓ = 1 / 2 + ε B (all � p j ’s as in real IND-CPA game) by assumption on B. ֓ U ( Z m ‘Random’ LWE scenario, � p i = � y ← q ) – first i − 1 vectors � p 1 , . . . ,� p i − 1 in public key are computed exactly as in the real IND-CPA game, remaining ℓ − i + 1 vectors � p i , . . . ,� p ℓ are random. This is the ( i − 1)’th hybrid distribution of P . So: Distinguishing advantage of D i is ∆ i = | p i − p i − 1 | . Since p ℓ − p 0 ≥ ε B − 1 / 2 λ , one of ℓ ∆ i ’s (say i = i ∗ ) must be ≥ ( ε B − 1 / 2 λ ) /ℓ ≥ 1 / ( ℓ · 2 λ +1 ). Conclusion: D i ∗ contradicts the 2 λ +1+log ℓ -security of LWE! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 9/33
Recommend
More recommend
