Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17
Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17
Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 17
Lattice-Based Cryptography = ⇒ Why? ◮ Simple & efficient: linear, parallelizable ◮ Resists subexp & quantum attacks (so far) ◮ Security from worst-case assumptions [Ajtai96,. . . ] (Images courtesy xkcd.org) 2 / 17
If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17
If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17
If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17
If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17
If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17
This Talk Hard Avg-Case Problems 4 / 17
This Talk Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17
This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17
This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 4 / 17
This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 4 / 17
This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 3 Answer your questions 4 / 17
Lattices ◮ Today: full-rank subgroup L of Z m ( x , y ∈ L ⇒ x ± y ∈ L ; dim span = m ) O 5 / 17
Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 2 i = 1 b 1 O 5 / 17
Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O 5 / 17
Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) 5 / 17
Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) Hard Computational Problems ◮ Find ‘relatively short’ (nonzero) vectors ◮ Estimate geometric quantities (minimum distance, covering radius, . . . ) 5 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q | | | ∈ Z n a 1 a 2 · · · a m q | | | 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z 1 , . . . , z m ∈ { 0 , ± 1 } such that: | | | | + z 2 · + · · · + z m · = ∈ Z n z 1 · a 1 a 2 a m 0 q | | | | 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that: = 0 ∈ Z n · · · · A · · · · z q � �� � m 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that: = 0 ∈ Z n · · · · A · · · · z q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that: = 0 ∈ Z n · · · · A · · · · z q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . 6 / 17
A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that: = 0 ∈ Z n · · · · A · · · · z q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m . 6 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } O 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17
Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O ◮ Enlarge domain of f A to . . . . . . still O-W & C-R! Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17
Gaussians and Lattices 8 / 17
Gaussians and Lattices 8 / 17
Gaussians and Lattices 8 / 17
Gaussians and Lattices “Uniform” over R m when std dev ≥ min basis length (Used in worst/average-case reductions [Re03,MR04,. . . ]) 8 / 17
Discrete Gaussians ◮ Fix uniform A . Choose Gaussian input x ∈ Z m : x 9 / 17
Recommend
More recommend