Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23
Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3 Using rings for efficiency 2 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman) ◮ Conjectured-hard problems: factor N = P · Q , compute discrete logs 3 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman) ◮ Conjectured-hard problems: factor N = P · Q , compute discrete logs ◮ Shor’s quantum algorithm: P = N = 16062216870909044065 21305750140972822779 12585584569433331615 67336009072353225107 827658775597032991663 58864221620325802176 Q = 55802658737520126407 13264514053200565459 22059995071405557278 67263583507984286802 967027854563351343547 756201383768089567669 3 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman) ◮ Conjectured-hard problems: factor N = P · Q , compute discrete logs ◮ Shor’s quantum algorithm: P = N = 16062216870909044065 21305750140972822779 12585584569433331615 67336009072353225107 827658775597032991663 58864221620325802176 Q = 55802658737520126407 13264514053200565459 22059995071405557278 67263583507984286802 967027854563351343547 756201383768089567669 g, y = g X ∈ G X 3 / 23
Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) 4 / 23
Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography = ⇒ Advantages ◮ Appears resistant to quantum attacks (Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography = ⇒ Advantages ◮ Appears resistant to quantum attacks ◮ Simple description and implementation (Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography = ⇒ Advantages ◮ Appears resistant to quantum attacks ◮ Simple description and implementation ◮ Efficient: linear, highly parallelizable (Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography = ⇒ Advantages ◮ Appears resistant to quantum attacks ◮ Simple description and implementation ◮ Efficient: linear, highly parallelizable ◮ Security from worst-case assumptions [Ajtai96,. . . ] (Images courtesy xkcd.org) 4 / 23
Part 1: Lattices and Hard Problems 5 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) O 6 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) ◮ Has a basis B = { b 1 , . . . , b k } of linearly independent vectors: k � L = ( Z · b i ) b 2 i =1 b 1 Today, k = m always: “full rank.” O 6 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) ◮ Has a basis B = { b 1 , . . . , b k } of linearly independent vectors: k � L = ( Z · b i ) b 1 i =1 Today, k = m always: “full rank.” b 2 O 6 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) ◮ Has a basis B = { b 1 , . . . , b k } of linearly independent vectors: k � L = ( Z · b i ) b 1 i =1 Today, k = m always: “full rank.” b 2 O (Other representations as well. . . ) 6 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) ◮ Has a basis B = { b 1 , . . . , b k } of linearly independent vectors: k � L = ( Z · b i ) b 1 i =1 Today, k = m always: “full rank.” b 2 O v (Other representations as well. . . ) Conjectured Hard Problems ◮ Find ‘relatively short’ (nonzero) lattice vector(s): SVP γ , SIVP γ 6 / 23
Lattices ◮ An (integer) lattice is a subgroup L ⊆ Z m . (Looks like a periodic “grid.”) ◮ Has a basis B = { b 1 , . . . , b k } of linearly independent vectors: k � L = ( Z · b i ) b 1 i =1 Today, k = m always: “full rank.” b 2 O v λ 1 (Other representations as well. . . ) Conjectured Hard Problems ◮ Find ‘relatively short’ (nonzero) lattice vector(s): SVP γ , SIVP γ ◮ Estimate geometric quantities of the lattice: minimum distance λ 1 , successive minima λ i , covering radius µ , . . . 6 / 23
Complexity (for the Worst Case) GapSVP γ ◮ Given (a basis of) an m -dim lattice L and some d > 0 , distinguish λ 1 ( L ) ≤ d FROM λ 1 ( L ) > γ ( m ) · d 7 / 23
Complexity (for the Worst Case) GapSVP γ ◮ Given (a basis of) an m -dim lattice L and some d > 0 , distinguish λ 1 ( L ) ≤ d FROM λ 1 ( L ) > γ ( m ) · d ◮ Becomes easier for larger γ ( m ) : 7 / 23
Complexity (for the Worst Case) GapSVP γ ◮ Given (a basis of) an m -dim lattice L and some d > 0 , distinguish λ 1 ( L ) ≤ d FROM λ 1 ( L ) > γ ( m ) · d ◮ Becomes easier for larger γ ( m ) : √ m γ = 2 (log m ) 1 − ǫ � m 2 ∼ m NP-hard ∗ crypto ∈ coNP ∈ P [Ajt96,. . . ] [Ajt98,. . . ] [GG98,AR05] [LLL82,Sch87] 7 / 23
Complexity (for the Worst Case) GapSVP γ ◮ Given (a basis of) an m -dim lattice L and some d > 0 , distinguish λ 1 ( L ) ≤ d FROM λ 1 ( L ) > γ ( m ) · d ◮ Becomes easier for larger γ ( m ) : √ m γ = 2 (log m ) 1 − ǫ � m 2 ∼ m NP-hard ∗ crypto ∈ coNP ∈ P [Ajt96,. . . ] [Ajt98,. . . ] [GG98,AR05] [LLL82,Sch87] ◮ For γ = poly ( m ) , fastest algorithm: 2 m time & space [AKS01,MV10,. . . ] 7 / 23
Complexity (for the Worst Case) GapSVP γ ◮ Given (a basis of) an m -dim lattice L and some d > 0 , distinguish λ 1 ( L ) ≤ d FROM λ 1 ( L ) > γ ( m ) · d ◮ Becomes easier for larger γ ( m ) : √ m γ = 2 (log m ) 1 − ǫ � m 2 ∼ m NP-hard ∗ crypto ∈ coNP ∈ P [Ajt96,. . . ] [Ajt98,. . . ] [GG98,AR05] [LLL82,Sch87] ◮ For γ = poly ( m ) , fastest algorithm: 2 m time & space [AKS01,MV10,. . . ] ◮ Similar status for other problems like SIVP γ , . . . 7 / 23
Part 2: SIS/LWE and Basic Applications 8 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . | | | ∈ Z n · · · a 1 a 2 a m q | | | 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . ◮ SIS : given many uniform a i , find nontrivial z 1 , . . . , z m ∈ { 0 , ± 1 } s.t. | | | | + z 2 · + · · · + z m · = ∈ Z n z 1 · 0 a 1 a 2 a m q | | | | 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . ◮ SIS : given many uniform a i , find ‘short’ nonzero z s.t. = 0 ∈ Z n · · · · · · · · A z q � �� � m 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . ◮ SIS : given many uniform a i , find ‘short’ nonzero z s.t. = 0 ∈ Z n · · · · · · · · A z q � �� � m Collision-Resistant Hash Function ◮ Define f A : { 0 , 1 } m → Z n q for any m > n lg q as f A ( x ) = Ax . 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . ◮ SIS : given many uniform a i , find ‘short’ nonzero z s.t. = 0 ∈ Z n · · · · · · · · A z q � �� � m Collision-Resistant Hash Function ◮ Define f A : { 0 , 1 } m → Z n q for any m > n lg q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . 9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96] ◮ Fix a dimension n and modulus q (e.g., q ≈ n 2 ). Let Z n q = n -dimensional integer vectors modulo q . ◮ SIS : given many uniform a i , find ‘short’ nonzero z s.t. = 0 ∈ Z n · · · · · · · · A z q � �� � m Collision-Resistant Hash Function ◮ Define f A : { 0 , 1 } m → Z n q for any m > n lg q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields a short (nonzero) solution z = x − x ′ ∈ { 0 , ± 1 } m . 9 / 23
Cool! (but what does this have to do with lattices?) 10 / 23
Cool! ◮ Matrix A = ( a 1 , . . . , a m ) ∈ Z n × m : q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } O 10 / 23
Cool! (0 , q ) ◮ Matrix A = ( a 1 , . . . , a m ) ∈ Z n × m : q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q, 0) O 10 / 23
Cool! (0 , q ) ◮ Matrix A = ( a 1 , . . . , a m ) ∈ Z n × m : q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q, 0) O ◮ ‘Short’ solutions z lie in 10 / 23
Recommend
More recommend
