Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } (0 , q ) O ( q, 0) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] u ( A ) = { x ∈ Z m : f A ( x ) = Ax = u mod q } ◮ Lattice interpretation: Λ ⊥ (0 , q ) x O ( q, 0) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA security (w/FHE!) . . . but not much else. Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t : find the unique preimage s (equivalently, e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16
Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard Model (no RO) signatures [CHKP’10,R’10,B’10] ◮ SM CCA-secure encryption [PW’08,P’09] ◮ SM (Hierarchical) IBE [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc, . . . [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g − 1 [Babai’86] [Babai’86] A f − 1 [Klein’01,GPV’08] [P’10] A Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16
Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16
Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16
Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16
Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16
Recommend
More recommend