MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20

TODAY: Lattice-based Cryptography

Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of lattice-based crypto) o Simple and Efficient o Enabler of Surprising Capabilities (computing on encrypted data)

Solving Linear Equations 5𝑡 ! + 11𝑡 " = 2 2𝑡 ! + 𝑡 " = 6 7𝑡 ! + 𝑡 " = 26 where all equations are over ℤ , the integers

Solving Linear Equations s and A Given : A GOAL : Find s. More generally, 𝑜 variables and 𝑛 ≫ 𝑜 equations.

Solving Linear Equations s and A Given : A GOAL : Find s. EASY! For example, by Gaussian Elimination

Solving Linear Equations s and A Given : A GOAL : Find s. Chop the head? How to make it hard : That is, work modulo some 𝑟 . (1121 𝑛𝑝𝑒 100 = 21) Still EASY! Gaussian Elimination mod 𝑟

Solving Linear Equations s and e A Given : A + GOAL : Find s. How to make it hard : Chop the tail? Add a small error to each equation. Still EASY! Linear regression.

Solving Linear Equations s and e A Given : A + GOAL : Find s. How to make it hard : Chop the head and the tail? Add a small error to each equation and work mod 𝑟 . Turns out to be very HARD!

Learning with Errors (LWE) Solving Noisy Modular Linear Equations s and e A Given : A + GOAL : Find s. Parameters: dimensions 𝒐 and 𝑛 , modulus 𝒓 , error distribution 𝜓 = uniform in some interval [−𝑪, … , 𝑪] . $×& , s from ℤ # & A is chosen at random from ℤ # and e from 𝜓 $ .

Learning with Errors (LWE) u Decoding Random Linear Codes (over F q with L 1 errors) u Learning Noisy Linear Functions u Worst-case hard Lattice Problems [Regev’05, Peikert’09]

Attack 1: Linearization Given 𝑩, 𝑩𝒕 + 𝒇 , find 𝒕 . Idea (a) Each noisy linear equation is an exact polynomial eqn. 𝒐 Consider 𝑐 = 𝒃, 𝒕 + 𝑓 = ∑ 𝒋(𝟐 𝑏 + 𝑡 + + 𝑓. Imagine for now that the error bound 𝐶 = 1. So, 𝑓 ∈ 𝒐 −1,0,1 . In other words, b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + ∈ −1,0,1 . So, here is a noiseless polynomial equation on 𝑡 + : 𝒐 𝒐 𝒐 ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + − 1) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + ) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + + 1) = 0

Attack 1: Linearization Given 𝑩, 𝑩𝒕 + 𝒇 , find 𝒕 . BUT: Solving (even degree 2) polynomial equations is NP-hard. 𝒐 𝒐 𝒐 ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + − 1) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + ) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + + 1) = 0

Attack 1: Linearization 𝒐 𝒐 𝒐 ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + − 1) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + ) ( b − ∑ 𝒋(𝟐 𝑏 + 𝑡 + + 1) = 0 Idea (b) Easy to solve given sufficiently many equations. (using a technique called “linearization”) * 𝑏 !"# 𝑡 ! 𝑡 " 𝑡 # + * 𝑏 !" 𝑡 ! 𝑡 " + * 𝑏 ! 𝑡 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 Treat each “monomial”, e.g. s , s - s . as an independent variable, e.g. t ,-. . Now, you have a noiseless linear equation in t ,-. !!!

Attack 1: Linearization * 𝑏 !"# 𝑢 !"# + * 𝑏 !" 𝑢 !" + * 𝑏 ! 𝑢 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 Solution space (with some eqns): The real solution 0 etc. / 𝑡 𝑢 +/0 = 𝑡 + 𝑡

Attack 1: Linearization * 𝑏 !"# 𝑢 !"# + * 𝑏 !" 𝑢 !" + * 𝑏 ! 𝑢 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 Solution space (with more eqns): The real solution 0 etc. / 𝑡 𝑢 +/0 = 𝑡 + 𝑡

Attack 1: Linearization * 𝑏 !"# 𝑢 !"# + * 𝑏 !" 𝑢 !" + * 𝑏 ! 𝑢 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 (with even more eqns): Solution space The real solution 0 etc. / 𝑡 𝑢 +/0 = 𝑡 + 𝑡

Attack 1: Linearization * 𝑏 !"# 𝑢 !"# + * 𝑏 !" 𝑢 !" + * 𝑏 ! 𝑢 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 Solution space (keep going): The real solution 0 etc. / 𝑡 𝑢 +/0 = 𝑡 + 𝑡

Attack 1: Linearization * 𝑏 !"# 𝑢 !"# + * 𝑏 !" 𝑢 !" + * 𝑏 ! 𝑢 ! + 𝑐 − 1 𝑐(𝑐 + 1) = 0 When #eqns = #vars ≈ 𝑃(𝑜 1 ) the only surviving solution to the linear system is the real solution.

Attack 1: Linearization Given 𝑩, 𝑩𝒕 + 𝒇 , find 𝒕 . Can solve/break as long as 𝒏 ≫ 𝒐 𝟑𝑪4𝟐 We will set 𝐶 = 𝑜 5(!) , in other words polynomial in 𝑜 so as to blunt this attack.

Attack 2: Lattice Decoding a1*s1+a2*s2 a1*s1+a2*s2+e a2 a1 O The famed Lenstra-Lenstra-Lovasz algorithm decodes in polynomial time when 𝒓/𝑪 > 𝟑 𝒐

Setting Parameters Put together, we are safe with: 𝑜 = security parameter (≈ 1 − 10K) 𝑛 = arbitrary poly in 𝑜 𝐶 = small poly in 𝑜, say 𝑜 𝑟 = poly in 𝑜 , larger than 𝐶 , and could be as large as sub-exponential , say 2 & !.## even from quantum computers, AFAWK!

Decisional LWE Can you distinguish between : s + and , e A A , b A Theorem: “Decisional LWE is as hard as LWE”.

OWF and PRG g A (s,e) = As + e "#$ ( A ∈ 𝑎 ! " random “small” secret vector s ∈ 𝑎 ! " : random “small” error vector) 𝒇 ∈ 𝑎 ! • g A is a one-way function (assuming LWE) • g A is a pseudo-random generator (decisional LWE) • g A is also a trapdoor function… • also a homomorphic commitment…

Basic (Secret-key) Encryption [Regev05] n = security parameter, q = “small” modulus & • Secret key sk = Uniformly random vector s Î 𝑎 % • Encryption Enc s ( 𝜈 ): // 𝜈 Î {0,1} & , “small” noise e Î 𝑎 – Sample uniformly random a Î 𝑎 % – The ciphertext c = ( a , b = á a, s ñ + e + 𝜈 𝑟/2 ) • Decryption Dec sk ( c ): Output Round q/2 (b − á a, s ñ mod q) // correctness as long as |e| < q/4

Basic (Secret-key) Encryption [Regev05] We already saw that this scheme is additively homomorphic. 𝒅 = ( a , b = á a, s ñ + e + 𝜈 𝑟/2 ) + Enc s (m) 𝒅′ = ( a ′ , b ′ = á a ′ , s ñ + e ′ + 𝜈 ′ 𝑟/2 ) Enc s (m’) 𝒅 + 𝒅′ = ( a + a ′ , b+ b ′ = á a +a ′ , s ñ + (e+e ′ ) + ( 𝜈 + 𝜈 ′) 𝑟/2 ) 𝒅 + 𝒅′ = ( a + a ′ , b+ b ′ ) In words: 𝑑 + 𝑑′ is an encryption of 𝜈 + 𝜈 ′ (mod 2)

Basic (Secret-key) Encryption [Regev05] You can also negate the encrypted bit easily. We will see how to make this scheme into a fully homomorphic scheme (in the next lec) For now, note that the error increases when you add two ciphertexts. That is, |𝑓 <== ≈ |𝑓 ! + 𝑓 " ≤ 2𝐶. Setting 𝑟 = 𝑜 9:; & and 𝐶 = 𝑜 (for example) lets us support any polynomial number of additions.

Public-key Encryption [Regev05] & • Secret key sk = Uniformly random vector s Î 𝑎 % • Public key pk: for 𝑗 𝑔𝑠𝑝𝑛 1 𝑢𝑝 𝑛 = 𝑞𝑝𝑚𝑧(𝑜) TBD 𝒅 𝒋 = (𝒃 𝒋 , 𝒃 𝒋 , 𝒕 + 𝑓 ! )

Public-key Encryption [Regev05] & • Secret key sk = Uniformly random vector s Î 𝑎 % • Public key pk: for 𝑗 𝑔𝑠𝑝𝑛 1 𝑢𝑝 𝑛 = 𝑞𝑝𝑚𝑧(𝑜) s + e , A A (𝑩, 𝒄 = 𝑩𝒕 + 𝒇) • Encrypting a message bit 𝜈 : pick a random vector 𝒔 ∈ {0,1} ( (𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 ) • Decryption: compute 𝒔𝒄 + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 and round to nearest multiple of q/2.

Correctness • Encrypting a message bit 𝜈 : pick a random vector 𝒔 ∈ {0,1} ( (𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 ) • Decryption: 𝒔𝒄 + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 = 𝒔(𝑩𝒕 + 𝒇) + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 Decryption works as long as | 𝒔𝒇| < 𝒓/𝟓 or in other words, if the LWE error bound B < 𝒓/𝟓𝒏 ≈ q/poly(n) .

Security Theorem: under decisional LWE, the scheme is IND- secure. In fact, even more: a ciphertext together with the public key is pseudorandom. We show this by a hybrid argument. Let’s stare at a public key, ciphertext pair. 𝒒𝒍 = 𝑩, 𝒄 = 𝑩𝒕 + 𝒇 , 𝒅 = 𝑭𝒐𝒅 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 ) Call this distribution Hybrid 0 .

Security Theorem: under decisional LWE, the scheme is IND- secure. In fact, even more: a ciphertext together with the public key is pseudorandom. Hybrid 1 . Change the public key to random (from LWE). ^ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 ) Hybrids 0 and 1 are comp. indist. by decisional LWE.

Detour: Leftover Hash Lemma [Impagliazzo-Levin-Luby’90] We want to understand how 𝒔𝑩, 𝒔𝒄 = 𝒔 𝑩 𝒄] is distributed when 𝐵, 𝑐 is random (and public). 𝒅 𝒃′ 𝑐′ 𝒔 ≈ 𝑩 𝒄 If 𝒔 is truly random, so is 𝒔 𝑩 𝒄] . But 𝒔 is NOT truly random! It has small entries. Nevertheless, 𝒔 has entropy. Leftover hash lemma tells us that matrix multiplication turns (sufficient) entropy into true randomness. We need 𝑛 ≫ 𝑜 + 1 log 𝑟.

Security Theorem: under decisional LWE, the scheme is IND- secure. In fact, even more: a ciphertext together with the public key is pseudorandom. Hybrid 1 . Change the public key to random (from LWE). ^ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 ) Hybrids 0 and 1 are comp. indist. by decisional LWE.