Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q 2 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] 2 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] 2 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } (0 , q ) O ( q, 0) 2 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] u ( A ) = { x ∈ Z m : f A ( x ) = Ax = u mod q } ◮ Lattice interpretation: Λ ⊥ (0 , q ) x O ( q, 0) 2 / 18
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA security (w/FHE!) . . . but not much else. 2 / 18
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . 3 / 18
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t : find the unique preimage s (equivalently, e ) 3 / 18
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) 3 / 18
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O 3 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard Model (no RO) signatures [CHKP’10,R’10,B’10] ◮ SM CCA-secure encryption [PW’08,P’09] ◮ SM (Hierarchical) IBE [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc, . . . [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency 4 / 18
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g − 1 [Babai’86] [Babai’86] A f − 1 [Klein’01,GPV’08] [P’10] A 4 / 18
Today “Strong” trapdoor generation and inversion algorithms: 5 / 18
Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff 5 / 18
Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors 5 / 18
Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors ✔ New kind of trapdoor — not a basis! (But just as powerful.) 5 / 18
Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors ✔ New kind of trapdoor — not a basis! (But just as powerful.) ✔ More efficient applications: CCA, (H)IBE in standard model 5 / 18
Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 6 / 18
Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 2 Randomize G ↔ A via a “nice” unimodular transformation. (The transformation is the trapdoor!) 6 / 18
Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 2 Randomize G ↔ A via a “nice” unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f − 1 A , g − 1 f − 1 G , g − 1 to plus pre-/post-processing. A G 6 / 18
Step 1: Gadget G and Inversion Algorithms ◮ Let q = 2 k . Define 1 -by- k “parity check” vector � 2 k − 1 � ∈ Z 1 × k g := 1 2 4 · · · . q 7 / 18
Recommend
More recommend