how to use a short basis trapdoors for hard lattices and
play

How to Use a Short Basis: Trapdoors for Hard Lattices and New - PowerPoint PPT Presentation

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14


  1. How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14

  2. Digital Signatures 2 / 14

  3. Digital Signatures (public) (secret) 2 / 14

  4. Digital Signatures (public) “I love you” ✔ (secret) 2 / 14

  5. Digital Signatures (public) “It’s over” ✗ (secret) 2 / 14

  6. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 3 / 14

  7. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 f x y Dom Dom 3 / 14

  8. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom 3 / 14

  9. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 3 / 14

  10. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . 3 / 14

  11. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . ◮ All rely on hardness of factoring ✗ Complex: 2048 -bit exponentiation ✗ Lack of diversity ✗ Broken by quantum algorithms [Shor] 3 / 14

  12. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] 4 / 14

  13. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] 4 / 14

  14. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] What’s Missing ◮ Everything else! Practical signatures, protocols, “advanced” crypto, . . . 4 / 14

  15. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions 5 / 14

  16. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  17. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  18. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R 5 / 14

  19. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R 5 / 14

  20. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 5 / 14

  21. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 5 / 14

  22. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . 5 / 14

  23. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . New Algorithmic Tool ◮ “Oblivious decoder” on lattices 5 / 14

  24. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n b 2 � L = ( Z · b i ) i = 1 b 1 O 6 / 14

  25. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 6 / 14

  26. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. 6 / 14

  27. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: β n t � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. Absolute Distance Decoding (ADD β ) ◮ Given B and target t ∈ R n , find some v ∈ L within distance β . 6 / 14

  28. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] 7 / 14

  29. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP γ · n SVP γ as hard as every lattice random lattice 7 / 14

  30. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too 7 / 14

  31. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too Bottom Line ◮ On random lattices, SVP γ and ADD β seem exponentially hard 7 / 14

  32. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S s 2 b 1 s 1 b 2 8 / 14

  33. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  34. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  35. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  36. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  37. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  38. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  39. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  40. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] 8 / 14

  41. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 8 / 14

  42. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 2 Secret key leakage • Total break after several signatures [NguyenRegev] 8 / 14

  43. Gaussians and Lattices 9 / 14

  44. Gaussians and Lattices 9 / 14

  45. Gaussians and Lattices 9 / 14

  46. Gaussians and Lattices “Uniform” in R n when std dev ≥ shortest basis [Regev,MicciancioRegev] 9 / 14

  47. Our Trapdoor Function ◮ “Hard” public basis B , s 2 short secret basis S [Ajtai99,AP08] b 1 s 1 b 2 10 / 14

  48. Our Trapdoor Function ◮ “Hard” public basis B , short secret basis S [Ajtai99,AP08] ◮ Input v ∈ L , error e 10 / 14

Recommend


More recommend