On Lattices for Cryptography Jheyne N. Ortiz 1 Robson R. Araujo 2 - PowerPoint PPT Presentation

On Lattices for Cryptography Jheyne N. Ortiz 1 Robson R. Araujo 2 Sueli I.R. Costa 2 Ricardo Dahab 1 Diego F. Aranha 1 1 - IC/Unicamp 2 - Imecc/Unicamp July 25, 2018 LAWCI - Latin American Week on Coding and Information Unicamp, Campinas - SP

Outline Post-quantum Cryptography Conventional Cryptography Quantum Computing Post-quantum Cryptography Lattices Lattice-based cryptography Aspects of algebraic number theory Choosing lattice parameters 2 / 19

Post-quantum Cryptography Conventional Cryptography Cryptography consists in protocols and algorithms for providing ◮ integrity; ◮ confidentiality; ◮ authenticity; and ◮ non-repudiation. 3 / 19

Post-quantum Cryptography Conventional Cryptography Cryptography consists in protocols and algorithms for providing ◮ integrity; ◮ confidentiality; ◮ authenticity; and ◮ non-repudiation. These properties can be obtained by adopting a combination of encryption schemes, key-encapsulation mechanisms, digital signatures, key-exchange protocols, and hash functions. Keywords: TLS protocol, RSA, ECDSA, SHA-2, AES. 3 / 19

Post-quantum Cryptography Quantum Computing, Bristlecone Figure 1: New Google’s quantum computer with 72 qubits. 4 / 19

Post-quantum Cryptography Quantum Computing Quantum computers are an imminent threat to public-key cryptography . Shor’s quantum algorithm can be used to solve integer factorization and discrete logarithm problems [Sho97]. It implies the end of RSA- and ECC-based cryptographic schemes. 5 / 19

Post-quantum Cryptography Quantum Computing Quantum computers are an imminent threat to public-key cryptography . Shor’s quantum algorithm can be used to solve integer factorization and discrete logarithm problems [Sho97]. It implies the end of RSA- and ECC-based cryptographic schemes. Problem: A large amount of past and present personal data unprotected from future quantum computational power. 5 / 19

Post-quantum Cryptography Post-quantum Cryptography Classes of hard computational problems that support new cryptographic primitives for which efficient quantum algorithms are still unknown . 6 / 19

Post-quantum Cryptography NIST’s Call for Post-quantum Standards 7 / 19

Post-quantum Cryptography Post-quantum Submissions Others Lattices 13 Hash 4 28 13 Multivariate 24 Codes ◮ Submissions include encryption schemes, digital signatures, and key-encapsulation mechanisms. ◮ Lattice-based cryptography already provides a whole framework of cryptographic primitives! 8 / 19

Lattices Definition of lattice Let B = { b 1 , . . . , b m } ⊂ R n be a set of m linearly independent vectors, m ≤ n . The set � m � � Λ = Λ( B ) = x i b i : x i ∈ Z i =1 is called lattice of rank m in R n . If n = m , the lattice Λ( B ) is called a full-rank lattice. Remark 1: A lattice is an additive discrete subgroup of R n . Remark 2: In this work we consider only full-rank lattices. 9 / 19

Lattices Example in R 2 Example of the full-rank lattice Λ( B ) ⊂ R 2 with basis B = { (1 , 1) , (1 , − 1) } . b 1 b 2 10 / 19

Lattices Some computational problem over lattices Consider Λ = Λ( B ) ⊂ R n a full-rank lattice and γ = γ ( n ) ≥ 1 a real number which grows as a function of n , called approximation factor . ◮ Shortest Vector Problem (SVP): Find c ∈ Λ such that � c � = λ 1 (Λ), where λ 1 (Λ) := min 0 � = v ∈ Λ � v � is called the minimum distance of Λ. ◮ Approximate SVP (SVP γ ): Find c � = 0 in Λ such that � c � ≤ γ ( n ) λ 1 (Λ). ◮ Bounded Distance Decoding Problem (BDD γ ): if t ∈ R n is a target point such that � t − v � < λ 1 (Λ) / (2 γ ( n )), for all v ∈ R n , the BDD γ consists in finding the unique c ∈ Λ such that � t − c � < λ 1 (Λ) / (2 γ ( n )). In general, these problems are very hard. 11 / 19

Lattice-based cryptography Foundations of Lattice-based Cryptography Short Integer Solution [Ajt96]. Given m uniformly random vectors a i ∈ Z n q , the SIS problem to find a nontrivial vector z = ( z 1 , . . . , z m ) ∈ Z m of norm � z � ≤ β such that m a i · z i = 0 ∈ Z n � q , for β being a positive real, and n , q positive i =1 integer numbers. Learning with Errors [Reg05]. The LWE problem defines a distribution over Z n q × Z q , where the samples are of the form ( a , b = � s , a � + e mod q ), for s ∈ Z n q a fixed element called the secret , a ∈ Z n q a uniformly random element, and e ∈ ψ sampled from an error distribution ψ ( q and n as in SIS problem). Search version of LWE problem consists to find s given m independent samples ( a i , b i ) ∈ Z n q × Z q drawn from the LWE distribution for a uniformly random secret s . 12 / 19

Aspects of algebraic number theory Number fields and ring of integers A field K is said to be a number field if K ≃ Q [ x ] � f ( x ) � where f ( x ) ∈ Q [ x ] is a monic irreducible polynomial. The degree of f ( x ) is called the degree of K . The set R = O K = { a ∈ K : ∃ g ( x ) ∈ Z [ x ] s . t . g ( a ) = 0 } is a ring called the ring of integers of K . 13 / 19

The number field K of degree n is said to be totally complex if there exists exaclty n monomorphisms σ i : K − → R (1 ≤ i ≤ n ), where σ i + n / 2 = σ i for 1 ≤ i ≤ n / 2. From now on, suppose that K is a totally complex number field. → R n defined as The map σ : K − � � σ ( a ) = Re ( σ 1 ( a )) , Im ( σ 1 ( a )) , . . . , Re ( σ n / 2 ( a )) , Im ( σ n / 2 ( a )) is known as canonical embedding . If α ∈ R = O K satisfies a i := σ i ( α ) ∈ R > 0 , α is called totally → R n as positive and we define the map σ α : K − � √ √ � � σ α ( a ) = 2 a 1 Re ( σ 1 ( a )) , 2 a 1 Im ( σ 1 ( a )) , . . . , 2 a n / 2 Im ( σ n / 2 ( a )) is called twisted embedding . If I is an ideal of R then σ ( I ) and σ α ( I ) are full-rank lattices in R n . 14 / 19

Lattice-based cryptography Learning with Errors over Rings Consider J ∨ = { a ∈ K : Tr K / Q ( a ) ⊂ Z } the dual of an ideal J ⊂ R , R q = R / qR , where q ≥ 2 is an integer number, K R = K ⊗ Q R and T = K R / R ∨ . Learning with Errors over rings (Ring-LWE) [LPR10] The distribution Ring-LWE outputs samples of the form mod R ∨ ) ∈ R q × T , ( a , b = ( a · s ) / q + e for the secret s ∈ R ∨ q , where a ← R q is uniformly randomized and e ← ψ , where ψ is an error distribution over K R . Ring-LWE search version: for a family of distributions Ψ over K R , it consists to the secret s given arbitrary many independent samples from the Ring-LWE distribution, for some arbitrary s ∈ R ∨ q and ψ ∈ Ψ. 15 / 19

Choosing lattice parameters Twisted Ring-LWE In usual Ring-LWE, the error e is randomized as an inverse image e ∈ R n via the canonical embedding: of ˜ e = σ − 1 (˜ e ) . If we change σ by σ α and choose e to be e = σ − 1 α (˜ e ) e ∈ R n we have a new version of the Ring-LWE called for some ˜ α -Ring-LWE . Hardness proof [OAD + 18] If α ∈ O K is totally positive, the search version of Ring-LWE is reducible to the search version of α -Ring-LWE. 16 / 19

Choosing lattice parameters Efficiency versus security ◮ Encoding and decoding of cryptographic systems over LWE are usually done using the lattice Z k . Recently, [vP16] proposed change Z k by Leech lattice Λ 24 and obtained an improvement of more than 10% in bandwidth. In our opinion, the use of the twisted construction can provide similar analysis for Ring-LWE based cryptographic systems. ◮ Attacks have been made against some instances of Ring-LWE using good properties of specific number fields. Because of this, it had been suggested to change the number fields that have been used (cyclotomic, for example) by non Galoisian and/or non monogenic number fields. 17 / 19

References I M. Ajtai. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing , STOC ’96, pages 99–108, New York, NY, USA, 1996. ACM. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On Ideal Lattices and Learning with Errors over Rings , pages 1–23. Springer Berlin Heidelberg, Berlin, Heidelberg, 2010. Jheyne N. Ortiz, Robson R. Araujo, Ricardo Dahab, Diego F. Aranha, and Sueli I. R. Costa. In praise of twisted canonical embedding. Cryptology ePrint Archive, Report 2018/356, 2018. https://eprint.iacr.org/2018/356 . 18 / 19

References II Oded Regev. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing , STOC ’05, pages 84–93, New York, NY, USA, 2005. ACM. Peter W. Shor. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. , 26(5):1484–1509, October 1997. Alex van Poppelen. Cryptographic decoding of the Leech lattice. Cryptology ePrint Archive, Report 2016/1050, 2016. http://eprint.iacr.org/2016/1050 . 19 / 19