introduction to lattice based cryptography
play

Introduction to Lattice Based Cryptography Eduardo Morais advisor: - PowerPoint PPT Presentation

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp ASCrypto 2013 October 18, 2013 Agenda Introduction Definitions Dual Lattices q-ary Lattices Hard Problems Schemes Goldreich,


  1. Babai’s Roundoff Algorithm Compute x ≡ t ( mod B ) B d ⊂ P B t d = min i ( b ⊥ i ) b ⊥ 1 (linear system) b 2 b 1 b ⊥ 2

  2. Babai’s Nearest Plane Algorithm Compute x ≡ t ( mod ˜ B ) (iteratively) t B d ⊂ P ˜ B ˜ b 2 d = min i (˜ b i ) b 2 b 1

  3. Babai’s Nearest Plane Algorithm t ˜ b 3 5 b 3 t ′ s ′ b 2 0 b 1 z 5 − 5 0 − 4 − 2 0 2 y 4 − 5 x

  4. Babai’s Nearest Plane Algorithm 5 ˜ b 2 s ′ b 2 0 b 1 z 5 − 5 0 − 4 − 2 0 2 y 4 − 5 x

  5. Part II - Crypto

  6. Goldreich, Goldwasser and Halevi (GGH) No security proof Trapdoor: orthogonality Good base: V = ( v 1 , v 2 ) v 1 Bad base: B = ( b 1 , b 2 ) v 2 v Encrypt r : c = v + r ( mod B ) r c Decrypt: r = c − v b 2 b 1

  7. Ajtai’s Construction f A ( x ) = Ax surjective ( 0 , 7 ) ( 7 , 7 ) small x ( 2 , 6 ) (SIS problem) ( 4 , 5 ) collision: x , x ′ short vector: ( x − x ′ ) ( 6 , 4 ) in Λ ⊥ ( 1 , 3 ) q worst to average ( 3 , 2 ) b 2 b 1 quantum reduction ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )

  8. Learning With Errors Search problem: Given b i = � a i , s � + e i Find s Decision problem: Distinguish ( a i , b i ) from uniform Search to decision reduction

  9. Learning With Errors g A ( x ) = Ax + e injective ( 0 , 7 ) ( 7 , 7 ) ( 2 , 6 ) ( 4 , 5 ) ( 6 , 4 ) ( 1 , 3 ) ( 3 , 2 ) b 2 b 1 ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )

  10. Learning With Errors g A ( x ) = Ax + e injective ( 0 , 7 ) ( 7 , 7 ) ( 2 , 6 ) worst to average ( 4 , 5 ) quantum reduction ( 6 , 4 ) ( 1 , 3 ) ( 3 , 2 ) b 2 b 1 ( 5 , 1 ) ( 0 , 0 ) ( 7 , 0 )

  11. LWE Based Cryptosystem b = As + e Alice Bob s

  12. LWE Based Cryptosystem b = As + e ( c 1 , c 2 ) = ( Ax , bx + mq / 2 ) Alice Bob s

  13. LWE Based Cryptosystem b = As + e ( c 1 , c 2 ) = ( Ax , bx + mq / 2 ) Alice Bob s m . q / 2 = c 2 − c 1 s

  14. Cyclotomic Rings Φ 2 n ( x ) = ( x 2 n − 1 + 1 ) if ζ 2 n ∈ Z q then ( 0 , 5 ) ( 5 , 5 ) Φ 2 n ≡ � 2 n ( x − ζ i 2 n ) i ∈ Z ∗ Ring: Z 5 [ x ] / ( x 2 + 1 ) ( 3 , 3 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) a ( x ) = 3 x + 3 ( 0 , 0 ) ( 5 , 0 )

  15. Coefficient Representation Ring: Z 5 [ x ] / ( x 2 + 1 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) ( 0 , 5 ) ( 5 , 5 ) ≡ ( x − 3 )( x − 2 ) a ( x ) = 3 x + 3 ( 3 , 3 ) 2 ( 3 x + 3 ) ≡ x + 1 � T , � � � T 3 3 1 1 ( 1 , 1 ) ( 0 , 0 ) ( 5 , 0 )

  16. Evaluation Representation Ring: Z 5 [ x ] / ( x 2 + 1 ) x 2 + 1 ≡ ( x + 2 )( x + 3 ) ( 0 , 5 ) ( 5 , 5 ) ( 3 , 4 ) a ( x ) = 3 x + 3 2 a ( x ) ≡ x + 1 a ( 2 ) ≡ 4 , a ( 3 ) ≡ 2 � T , ( 4 , 2 ) � � � T 4 2 3 4 FFT ( 0 , 0 ) ( 5 , 0 )

  17. Cyclotomic Rings ( 3 , 4 ) ( 3 , 3 ) FFT FFT − 1 ( 4 , 2 ) ( 1 , 1 ) � 1 � 3 � 4 � 3 � 1 � � � � � � � 2 3 − 2 = = 1 3 3 2 − 1 1 4 1 � �� � � �� � Vandermond Vandermond inverse

  18. Ring LWE g A ( x ) = Ax + e � 2 � 1 ( 0 , 5 ) ( 5 , 5 ) A = 1 3 ( 3 , 4 ) ideal: p ( x ) = x + 2 ( 1 , 3 ) xp ( x ) ( − 1 , 2 ) ( 4 , 2 ) b 2 ( 2 , 1 ) b 1 ( 0 , 0 ) ( 5 , 0 )

  19. Ring LWE ◮ Better reductions, better parameters

  20. Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n )

  21. Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors

  22. Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors ◮ Digital Signatures

  23. Ring LWE ◮ Better reductions, better parameters ◮ Encryption, decryption, keygen: ˜ O ( n ) ◮ Preimage sampleable trapdoors ◮ Digital Signatures ◮ Cryptomania: IBE, ABE, FE, FHE

  24. NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) Alice Bob f , g

  25. NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) c ≡ 2 ( Ax + e ) + m Alice Bob f , g

  26. NTRU-like Cryptosystem [13] A ≡ f / g ( mod q ) c ≡ 2 ( Ax + e ) + m Alice Bob f , g cg ≡ 2 ( fx + eg ) + mg m ≡ ( cg ( mod 2 )) / g

  27. Dual LWE u ≡ f A ( e ) Alice Bob e

  28. Dual LWE u ≡ f A ( e ) c 1 = g A ( s , x ) Alice Bob e c 2 = u T s + e ′ + b . ⌊ q / 2 ⌋

  29. Dual LWE u ≡ f A ( e ) c 1 = g A ( s , x ) Alice Bob e c 2 = u T s + e ′ + b . ⌊ q / 2 ⌋ b ≡ c 2 − e T c 1

  30. Identity Based Encryption A with trapdoor s Setup PKG u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )

  31. Identity Based Encryption A with trapdoor s Setup PKG s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )

  32. Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A )

  33. Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A ) DualDec ( c 1 , c 2 )

  34. Identity Based Encryption A with trapdoor s Setup Extract PKG e = f − 1 ( u ) s ID B ? u = H ( ID ) Alice Bob ( c 1 , c 2 ) = DualEnc ( u , m A ) DualDec ( c 1 , c 2 )

  35. Functional Encryption f ( x , y ) Setup PKG Alice Bob Carol Dave Eve Fred

  36. Functional Encryption f ( x , y ) Setup PKG s y B s y A Alice Bob s y E s y F s y C s y D Carol Dave Eve Fred

  37. Functional Encryption f ( x , y ) Setup PKG policy x Alice Bob c A = Enc x A ( m A ) Carol Dave Eve Fred

  38. Functional Encryption f ( x , y ) Setup PKG policy x Alice Bob Dec y B ( c A ) c A = Enc x A ( m A ) Carol Dave Eve Fred Dec y C ( c A )

  39. Attribute Based Encryption Setup PKG Alice Bob Carol Dave Eve Fred

  40. Attribute Based Encryption Setup PKG s B s A Alice Bob s F s E s C s D Carol Dave Eve Fred

Recommend


More recommend