some recent progress in lattice based cryptography chris
play

Some Recent Progress in Lattice-Based Cryptography Chris Peikert - PowerPoint PPT Presentation

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based


  1. Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 17

  4. Lattice-Based Cryptography = ⇒ Why? ◮ Simple & efficient: linear, parallelizable ◮ Resists subexp & quantum attacks (so far) ◮ Security from worst-case assumptions [Ajtai96,. . . ] (Images courtesy xkcd.org) 2 / 17

  5. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  6. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  7. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  8. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  9. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  10. This Talk Hard Avg-Case Problems 4 / 17

  11. This Talk Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17

  12. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17

  13. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 4 / 17

  14. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 4 / 17

  15. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 3 Answer your questions 4 / 17

  16. Lattices ◮ Today: full-rank subgroup L of Z m ( x , y ∈ L ⇒ x ± y ∈ L ; dim span = m ) O 5 / 17

  17. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 2 i = 1 b 1 O 5 / 17

  18. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O 5 / 17

  19. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) 5 / 17

  20. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) Hard Computational Problems ◮ Find ‘relatively short’ (nonzero) vectors ◮ Estimate geometric quantities (minimum distance, covering radius, . . . ) 5 / 17

  21. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q 6 / 17

  22. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q       | | | ∈ Z n a 1 a 2 · · · a m       q | | | 6 / 17

  23. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z 1 , . . . , z m ∈ { 0 , ± 1 } such that:         | | | |  + z 2 ·  + · · · + z m ·  =  ∈ Z n z 1 · a 1 a 2 a m 0     q | | | | 6 / 17

  24. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:          = 0 ∈ Z n  · · · · A · · · ·  z    q � �� � m 6 / 17

  25. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:         = 0 ∈ Z n   · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax 6 / 17

  26. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:         = 0 ∈ Z n   · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . 6 / 17

  27. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:          = 0 ∈ Z n  · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m . 6 / 17

  28. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } O 7 / 17

  29. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17

  30. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17

  31. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17

  32. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17

  33. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17

  34. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O ◮ Enlarge domain of f A to . . . . . . still O-W & C-R! Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17

  35. Gaussians and Lattices 8 / 17

  36. Gaussians and Lattices 8 / 17

  37. Gaussians and Lattices 8 / 17

  38. Gaussians and Lattices “Uniform” over R m when std dev ≥ min basis length (Used in worst/average-case reductions [Re03,MR04,. . . ]) 8 / 17

  39. Discrete Gaussians ◮ Fix uniform A . Choose Gaussian input x ∈ Z m : x 9 / 17

Recommend


More recommend