Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12
Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all ∗ of lattice cryptography 3 Lots of applications 2 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) 3 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) (0 , q ) ◮ Just SVP on random ‘ q -ary’ lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ( q, 0) O 3 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) (0 , q ) ◮ Just SVP on random ‘ q -ary’ lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . x ( q, 0) ◮ x �→ Ax reduces x modulo L ⊥ ( A ) . O 3 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) Worst-Case/Average-Case Connection [Ajtai’96,. . . ,MR’04,GPV’08,MP’13] Finding solution z with � z � ≤ β ≪ q (for uniformly random A ) ⇓ solving GapSVP β √ n and SIVP β √ n on any n -dim lattice. 3 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . 3 / 12
A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q = 0 ∈ Z n · · · · · · · · A z q � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m , of norm � z � ≤ √ m . 3 / 12
Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). 4 / 12
Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). 4 / 12
Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? 4 / 12
Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? ◮ Lattice interpretation: BDD on b L ( ¯ A ) = { v ≡ ¯ b Ax 1 mod q } . ◮ Search ⇔ decision: Ax is pseudorandom. 4 / 12
Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? ◮ Lattice interpretation: BDD on b L ( ¯ A ) = { v ≡ ¯ b Ax 1 mod q } . ◮ Search ⇔ decision: Ax is pseudorandom. ◮ As hard as worst case problems on m -dim lattices [Regev’05,P’09] . 4 / 12
The two amazingly simple tricks behind all of lattice cryptography... 5 / 12
Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 6 / 12
Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 6 / 12
Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x 6 / 12
Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x ◮ For many solutions, let U = − [ A | I n ] · X and A ′ = [ U | A ] . � I k Then [ A ′ | I n ] · � = 0 . X 6 / 12
Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x ◮ For many solutions, let U = − [ A | I n ] · X and A ′ = [ U | A ] . � I k Then [ A ′ | I n ] · � = 0 . X ◮ Of course, we can also multiply on the left: Let u t = x t � A � u t � and A ′ = � . I m A 6 / 12
Key Agreement/Encryption A ∈ Z n × m q s r 7 / 12
Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m 7 / 12
Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m k b = v t · r 1 + err k a = s t 1 · u + err ≈ s t ≈ s t 1 Ar 1 1 Ar 1 7 / 12
Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m k b = v t · r 1 + err k a = s t 1 · u + err ≈ s t ≈ s t 1 Ar 1 1 Ar 1 ( A , u , v , k a ) 7 / 12
Key Agreement/Encryption A ∈ Z n × m q s u v t = s t � A � I m k a = s t 1 · u + err ( A , u , v , k a ) 7 / 12
Key Agreement/Encryption A ∈ Z n × m q u v t ( A , u , v , k a ) 7 / 12
Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and · · · g t · · · · · · g t · · · ∈ Z n × nk G = . ... q · · · g t · · · 8 / 12
Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and · · · g t · · · · · · g t · · · ∈ Z n × nk G = . ... q · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n 8 / 12
Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and · · · g t · · · · · · g t · · · ∈ Z n × nk G = . ... q · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n More generally, can sample a Gaussian x ← G − 1 ( u ) . 8 / 12
Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and · · · g t · · · · · · g t · · · ∈ Z n × nk G = . ... q · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n More generally, can sample a Gaussian x ← G − 1 ( u ) . Can generate ( x , u ) in two equivalent ways: G − 1 G ≡ u ← Z n Gauss → x u x q 8 / 12
Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and · · · g t · · · · · · g t · · · ∈ Z n × nk G = . ... q · · · g t · · · ◮ Invert LWE: given v = x t � G � ≈ [ x 1 2 x 1 · · · 2 k − 1 x 1 · · · ] , find x . I 8 / 12
Recommend
More recommend