lattice assumptions in crypto status update chris peikert
play

Lattice Assumptions in Crypto: Status Update Chris Peikert - PowerPoint PPT Presentation

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =


  1. Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC’17) 10 March 2017 1 / 14

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 14

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 14

  4. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 2 / 14

  5. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) (Images courtesy xkcd.org) 2 / 14

  6. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions (Images courtesy xkcd.org) 2 / 14

  7. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions ◮ Solutions to ‘holy grail’ problems in crypto: FHE and related (Images courtesy xkcd.org) 2 / 14

  8. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α 3 / 14

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � ∈ Z q q a 2 ← Z n , b 2 ≈ � a 2 , s � ∈ Z q q . . . 3 / 14

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq 3 / 14

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 14

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 14

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Classically , GapSVP ≤ search-LWE (worse params) [P’09,BLPRS’13] 3 / 14

  14. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] 4 / 14

  15. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : 4 / 14

  16. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] 4 / 14

  17. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] 4 / 14

  18. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] 4 / 14

  19. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] 4 / 14

  20. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] 4 / 14

  21. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] 4 / 14

  22. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] ◮ Increasing q, α yields a weaker ultimate hardness guarantee. 4 / 14

  23. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q    . . . 5 / 14

  24. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. 5 / 14

  25. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys: Ω( n 2 log 2 q ) bits:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 5 / 14

  26. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one cheap product          ∈ Z n a i  ⋆ s  + e i  = b i         q operation?     . . . . . . . . . . . . 6 / 14

Recommend


More recommend