foundations of lattice cryptography
play

Foundations of Lattice Cryptography Daniele Micciancio Department - PowerPoint PPT Presentation

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography This Talk Introduction


  1. Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography

  2. This Talk Introduction to Lattice Cryptography for Math/non-CS Assume familiarity with math (number theory, lattices, . . . ) Focus on computational issues, relevant to cryptography/computer science High level view. If you want to know more ask questions! Cryptography ⊆ Math ∩ Computer Science Same old lattices Many interesting questions, both from math and cryptography Here: what questions are relevant/important to cryptography? Will use familiar examples from number theory for illustration Daniele Micciancio Foundations of Lattice Cryptography

  3. Lattices and Bases A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ⊂ R n : n � b i · Z = { Bx : x ∈ Z n } L = i =1 The same lattice has many bases b 2 n b 1 � L = c i · Z c 1 i =1 Definition (Lattice) c 2 A discrete additive subgroup of R n Daniele Micciancio Foundations of Lattice Cryptography

  4. Cryptography Goal (informal): Build functions f : A → B that are hard to break Question 1: What does it mean to break a function? Average-case vs Worst-case complexity Pseudorandomness . . . for now, assume “break” = “invert” Question 2: How do we argue about f being hard to break? Attacks/Cryptanalysis: study the best known algorithms to invert a function Security proofs: show that inversting the function allows to solve underlying mathematical problem Daniele Micciancio Foundations of Lattice Cryptography

  5. Familiar Example: Factoring based cryptography Definition (Factoring problem) Given composite N ∈ N , find P , Q > 1 such that N = P · Q Cryptographic functions: Square( x ) = x 2 mod N (Rabin) Cube( x ) = x 3 mod N (low exponent RSA) Cube x x 3 ??? Definition (loRSA inversion problem) Given N ∈ N , and y ∈ Z ∗ N , find x such that Cube( x ) = y . Daniele Micciancio Foundations of Lattice Cryptography

  6. Relation between Inversion and Factoring problems Square , Cube are easy to invert if factorization N = P · Q is known Invert modulo P and Q separately Combine the results using the Chinese Reminder Theorem Invert x 2 Factor N Factor N ??? Invert x 3 If you can invert x 2 , then you can factor N : √ N , and compute x ′ = x 2 Choose random x ∈ Z ∗ If x ′ � = ± x , then gcd( x − x ′ , N ) ∈ { P , Q } gives out factorization Daniele Micciancio Foundations of Lattice Cryptography

  7. Lattice cryptography Two “kinds” of cryptographic functions Functions for which lattice algorithms are the best known, or most natural attack. (E.g., NTRU, Gentry FHE, . . . ) Lattice Problem ??? Invert f Lattice Problem Functions that are at least as hard to break as some standard lattice problem. (E.g., Ajtai, Regev, . . . ) Lattice Problem Invert f Lattice Problem What does f look like? What Lattice Problem shall we use? f may look quite different from Lattice Problem! Daniele Micciancio Foundations of Lattice Cryptography

  8. Minimum Distance and Successive Minima Minimum distance λ 1 = x , y ∈L , x � = y � x − y � min = x ∈L , x � = 0 � x � min λ 2 λ 1 Successive minima ( i = 1 , . . . , n ) λ i = min { r : dim span( B ( r ) ∩ L ) ≥ i } Examples Z n : λ 1 = λ 2 = . . . = λ n = 1 Always: λ 1 ≤ λ 2 ≤ . . . ≤ λ n Daniele Micciancio Foundations of Lattice Cryptography

  9. Distance Function and Covering Radius Distance function µ ( t , L ) = min x ∈L � t − x � µ t Covering radius µ ( L ) = t ∈ span ( L ) µ ( t , L ) max µ Spheres or radius µ ( L ) centered around all lattice points cover the whole space Daniele Micciancio Foundations of Lattice Cryptography

  10. Relations among lattice parameters Theorem λ 1 ( L ) ≤ λ 2 ( L ) ≤ . . . ≤ λ n ( L ) ≤ 2 µ ( L ) ≤ √ n λ n ( L ) Theorem (Banaszczyk) 1 ≤ 2 λ 1 ( L ) · ρ ( L ∗ ) ≤ n . 1 ≤ λ i ( L ) · λ n − i +1 ( L ∗ ) ≤ n . Remarks: 1 µ ≈ λ n (up to √ n factors) 2 For some lattices λ 1 ≪ λ 2 ≪ . . . ≪ λ n 3 For some lattices λ 1 = λ 2 = . . . = λ n and 2 µ = √ n λ n 4 For some lattices λ 1 = λ 2 = . . . = λ n and µ ≤ 2 λ n Problem Give an explicit construction of a lattice satisfying (4) Daniele Micciancio Foundations of Lattice Cryptography

  11. Shortest Vector Problem Definition (Shortest Vector Problem, SVP γ ) Given a lattice L ( B ), find a (nonzero) lattice vector Bx (with x ∈ Z k ) of length (at most) � Bx � ≤ γλ 1 Bx = 5 b 1 − 2 b 2 λ 1 2 λ 1 b 1 b 2 Daniele Micciancio Foundations of Lattice Cryptography

  12. Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP γ ) Given a lattice L ( B ), find n linearly independent lattice vectors Bx 1 , . . . , Bx n of length (at most) max i � Bx i � ≤ γλ n Bx 1 Bx 2 λ 2 2 λ 2 b 1 b 2 Daniele Micciancio Foundations of Lattice Cryptography

  13. Closest Vector Problem Definition (Closest Vector Problem, CVP γ ) Given a lattice L ( B ) and a target point t , find a lattice vector Bx within distance � Bx − t � ≤ γµ from the target Bx t µ 2 µ b 1 b 2 Daniele Micciancio Foundations of Lattice Cryptography

  14. Special Versions of SVP, SIVP and CVP GapSVP: compute (or approximate) the value λ 1 without necessarily finding a short vector GapSIVP: compute (or approximate) the value λ n without necessarily finding short linearly independent vectors Bounded Distance Decoding (BDD): Solve CVP when µ ( t , L ) < λ 1 ( L ) / (2 γ ), Absolute Distance Decoding (ADD): Find lattice point Bx such that � Bx − t � ≤ γ · µ ( L ). Daniele Micciancio Foundations of Lattice Cryptography

  15. Relations among (general) lattice problems GapSVP GapSIVP BDD SIVP ≈ ADD [MG’01] SVP ≤ CVP [GMSS’99] Public Key Cryptography SIVP ≤ CVP [M’08] BDD � SIVP SIVP ADD CVP � SVP [L’86] Private Key Cryptography GapSVP ≈ GapSIVP [LLS’90,B’93] SVP CVP GapSVP � BDD [LM’09] Question What can we say the same about lattices with symmetries? See [PR’07] for SVP ≤ CVP. Daniele Micciancio Foundations of Lattice Cryptography

  16. Worst-case vs. Average-case Hardness Definition (Factoring problem) Given composite N ∈ N , find P , Q > 1 such that N = P · Q Algorithm A solves the factoring problem if for any composite N , it outputs P , Q > 1 such that N = PQ . Factoring is hard = No efficient algorithm solves Factoring Same as: for every efficient algorithm A there exists composite N such that A ( N ) does not output P , Q This is worst-case hardness: the hardest to factor N is indeed hard to factor Not enough for cryptography! It doesn’t matter if some key is hard to break You want assurance that your (randomly chosen) key is hard to break with high probebility Average-case hardness: most N are hard to factor Daniele Micciancio Foundations of Lattice Cryptography

  17. Difficulties with average-case complexity Average-case complexity depends on input distribution Let N be a uniformly random integer in { 1 , . . . , 2 n } Easy on average: N = 2 · N 2 with probability 50%! Let N be uniformly random in { N ∈ { 1 , . . . , 2 n } : N = P · Q } Still easy: there are O (2 n / n ) products with P = 2, and only O (2 n / n 2 ) products with P ≈ Q . Let N = P · Q where P , Q ∈ { 1 , . . . , 2 n / 2 } are chosen uniformly at random Ok, maybe now we got it right. This is believed to be hard on average. Belief is based on many decades (or centuries) of hard work! Question How do we know a distribution is right for cryptography? Daniele Micciancio Foundations of Lattice Cryptography

  18. Average-case hardness: inversion problem Definition (loRSA inversion problem) Given N ∈ N , and y = Cube( x ), recover x Assume N = P · Q is a hard distribution for N Question: how shall we choose x ? Answer: choose x ∈ Z ∗ N uniformly at random Why? This is provably the hardest distribution! Assume we can invert Cube on the average (say, w/ prob. 1%) Say we want to invert y = Cube( x ) (in the worst case) Compute y ′ = y · Cube( r ) for randomly chosen r ∈ Z ∗ N Notice: x ′ = x · r ∈ Z ∗ N is uniformly random and Cube( x ′ ) = y ′ Recover x ′ = x · r (with probability 1%) Compute x = x ′ / r Repeat 100 times to boost success probability Daniele Micciancio Foundations of Lattice Cryptography

  19. Cryptographic functions Definition (Ajtai’s function) where A ∈ Z n × m and x ∈ { 0 , 1 } m f A ( x ) = Ax mod q q x ∈ { 0 , 1 } m 0 1 1 0 1 0 0 ( q = 10) m 1 4 5 9 3 0 2 2 4 2 8 6 2 4 3 2 A ∈ Z n × m y = Ax ∈ Z n n q q 7 5 5 4 7 8 0 7 2 7 0 1 4 6 9 1 Cryptanalysis (Inversion) Given A and y , find x ∈ { 0 , 1 } m such that Ax = y Daniele Micciancio Foundations of Lattice Cryptography

Recommend


More recommend