slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky PowerPoint Presentation
Download Presentation
Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky

Loading in 2 Seconds...

play fullscreen
1 / 52

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky - PowerPoint PPT Presentation


  • 181 Views
  • Uploaded on

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011). La Cryptographie R eposant sur les Réseaux : de la Pratique à la Théorie à la Pratique Vadim Lyubashevsky INRIA / CNRS / ENS Paris

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky' - adsila


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Lattice-Based Cryptography:

From Practice to Theory to Practice

VadimLyubashevsky

INRIA / CNRS / ENS Paris

(September 12, 2011)

slide2

La CryptographieReposantsurles Réseaux:

de la Pratique à la Théorie à la Pratique

VadimLyubashevsky

INRIA / CNRS / ENS Paris

(Septembre12, 2011)

lattice based encryption schemes
Lattice-Based Encryption Schemes
  • NTRU [Hoffstein, Pipher, Silverman ‘98]
  • LWE-Based [Regev ‘05]
  • Ring-LWE Based [L, Peikert, Regev ’10]
  • “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]
cryptosyst mes reposant sur les r seaux
CryptosystèmesReposantsur les Réseaux
  • NTRU [Hoffstein, Pipher, Silverman ‘98]
  • Reposantsur LWE [Regev ‘05]
  • ReposantsurAnneau-LWE [L, Peikert, Regev ’10]
  • “NTRU” avec unepreuve de la sécurité [Stehle, Steinfeld ‘11]
slide5

Subset Sum Problem

  • Subset-Sum Based [L, Palacio, Segev ‘10]
  • LWE-Based [Regev ‘05]
  • Ring-LWE Based [L, Peikert, Regev ’10]
  • “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]
  • NTRU [Hoffstein, Pipher, Silverman ‘98]
subset sum problem

ai ,T in ZM

ai are chosen randomly

T is a sum of a random subset of the ai

a1 a2 a3 … anT

Find a subset of ai's that sums to T (mod M)

Subset Sum Problem
subset sum problem1

ai ,T in Z49

ai are chosen randomly

T is a sum of a random subset of the ai

15 31 24 3 1411

15 + 31 + 14=11(mod 49)

Subset Sum Problem
how hard is subset sum

ai ,T in ZM

a1 a2 a3 … anT

Find a subset of ai's that sums to T (mod M)

Hardness Depends on:

Size of n and M

Relationship between n and M

How Hard is Subset Sum?
complexity of solving subset sum
Complexity of Solving Subset Sum

M

2log²(n)

2n

2n log(n)

2n²

poly(n)

2Ω(n)

poly(n)

run-time

“generalized birthday attacks”

[FlaPrz05,Lyu06,Sha08]

“lattice reduction attacks”

[LagOdl85,Fri86]

subset sum crypto
Subset Sum Crypto
  • Why?
    • Simple operations
    • Exponential hardness
    • Seems very different from number theoretic assumptions
    • Seems to resist quantum attacks
subset sum is pseudorandom
Subset Sum is “Pseudorandom”
  • [Impagliazzo-Naor 1989]:
  • For random a1,...,an in ZM and random x1,...,xn in {0,1}
  • distinguishing the distribution
  • (a1,...,an, a1x1+...+anxn mod M)
  • from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xn
public key encryption
Public Key Encryption

Allows for secure communication between parties who have previously never met

public key encryption1
Public Key Encryption

public key: p

secret key: s

Encrypt, Decrypt

Decrypt(s,Encrypt(p,M))=M

c=Encrypt(p,M)

M=Decrypt(s,c)

public key encryption2
Public Key Encryption

What does “secure” mean?

Intuitive answer: The adversary should not be able to read the message.

c=Encrypt(p,M)

public key encryption3
Public Key Encryption

What does “secure” mean?

Intuitive answer: The adversary should not be able to read the message.

But what about other information about the message?

c=Encrypt(p,M), c=Encrypt(p,M)

E.g. If adversary can figure out that the same message was sent twice, is the scheme “secure”?

public key encryption4
Public Key Encryption

What does “secure” mean?

Semantic Security:

For every 2 messages M, M', it's impossible to distinguish

Encrypt(p,M) from Encrypt(p,M') in polynomial time

The Encrypt algorithm must be randomized!

subset sum cryptosystem
Subset Sum Cryptosystem
  • Semantically secure based on Subset Sum for M ≈ nn
  • Main tools

Subset sum is pseudo-random

Addition in (Zq)n is “kind of like” addition in ZM where M=qn

  • The proof is very simple
want to add 4679 3907 8465 1343 mod 10 4 4 6 7 9 3 9 0 7 8 4 6 5 1 3 4 3
Want to add 4679+3907+8465+1343 mod 104

4 6 7 9

3 9 0 7

8 4 6 5

1 3 4 3

Facts About Addition

2

1

2

4 6 7 9

3 9 0 7

8 4 6 5

1 3 4 3

6

2

7

4

8

3

9

4

Adding n numbers (written in base q) modulo qm → carries < n

If q>>n, then Adding with carries ≈ Adding without carries

(i.e. in ZM) (i.e. in (Zq)n )

slide21
So...

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1 1 0 1

1 1 0 1

2 1 1 0

+

=

8 1 1 9

0 2 2 9

=

NOT Pseudorandom!

Pseudorandom based on Subset Sum!

column subset sum addition is also pseudorandom
Column Subset Sum Addition Is Also Pseudorandom

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1

1

0

1

1

1

1

0

0

9

8

0

+

=

hybrid subset sum addition is also pseudorandom
“Hybrid” Subset Sum Addition Is Also Pseudorandom

4 6 7 9 0

3 9 0 7 9

8 4 6 5 8

1 6 4 3 0

1 0 0 1

pseudorandom

1 1 1 0 0

+

6 3 2 2 0

=

encryption scheme for 1 bit
Encryption Scheme (for 1 bit)

A

s

t

A

t

r

+

=

{0,1}n

+

Zqn x n

{0,1}n

=

u

v

Public Key

encryption scheme
Encryption Scheme

A

s

t

A

t

r

+

=

+

=

u

v

Is pseudo-random based on the hardness of the subset sum problem

encryption scheme1
Encryption Scheme

A

s

t

A

t

r

+

=

+

=

u

v

=

+

v

A

A

s

s

r

r

+

+

=

A

A

s

s

r

encryption scheme2
Encryption Scheme

A

s

t

A

t

r

+

=

+

=

u

v

+

=

A

r

s

s

u

+

=

v

s

A

r

encryption scheme3
Encryption Scheme

A

s

t

A

t

r

+

=

+

=

u

v

Encryption of 0

-

=

s

u

v

encryption scheme4
Encryption Scheme

A

s

t

A

t

r

+

=

+

=

u

v

+

Encryption of 1

0

q/2

=

-

+

=

v’

q/2

s

u

v’

u

part 2 cryptosystem based on learning with errors and worst case lattice problems regev 2005

Part 2.Cryptosystem Based on Learning With Errors andWorst-Case Lattice Problems[Regev 2005]

encryption scheme what we needed
Encryption Scheme(what we needed)

A

s

t

A

t

r

+

=

+

=

“small”

u

v

Pseudorandom

picking the carries
Picking the “Carries”
  • In Subset Sum: carries were deterministic
  • What if … we pick the “carries” at random from some distribution?
slide33
So...

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1 1 0 1

2 3 0 1

2 1 1 0

+

1 3 2 1

+

0 2 2 9

=

7 2 0 3

=

Pseudorandom based on Subset Sum!

Pseudorandom based on LWE and worst-case lattice problems [Reg ‘05]

(with a lemma from [ACPS ‘09])

slide34

Learning With Errors (LWE) Problem

a1

. . .

s

e

b

a2

+

=

am

Given aiand<ai,s>+eifind s. (eiand s are “small”)

(Once there are enough ai , the s is uniquely determined)

Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.

decision lwe problem
Decision LWE Problem

World 1

World 2

a1

a1

. . .

b

. . .

s

e

b

a2

a2

+

=

am

am

uniformly random in Zpm

Lemma[Reg ’05]: Search-LWE < Decision-LWE

lwe vs subset sum
LWE vs. Subset Sum
  • The Subset Sum assumption has deterministic “noise”
  • The LWE assumption is more “versatile”

LWE Problem

Subset Sum Problem

a1

. . .

s

e

b

s

b

a2

EASY !!

a1

a2

an

n2

+

=

n2

+

=

am

n

n

slide38

Part 3.Cryptosystem Based on Learning With Errors over Rings andWorst-Case Ideal Lattice Problems[L, Peikert, Regev 2010]

source of inefficiency of lwe
Source of Inefficiency of LWE

Getting just one extra random-looking number requires n random numbers and a small error element.

2

8

7

3

1

2

1

+

=

*

0

2

1

Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot”

2

1

8

0

+

=

*

7

2

3

1

use polynomials
Use Polynomials
  • f(x) is a polynomial xn+ an-1xn-1 + … + a1x + a0
  • R = Zp[x]/(f(x)) is a polynomial ring with
    • Addition mod p
    • Polynomial multiplication mod p and f(x)
  • Each element of R consists of n elements in Zp
  • In R:
    • small+small = small
    • small*small = small (depending on f(x) )
polynomial interpretation of the lwe based cryptosystem
Polynomial Interpretation of the LWE-based cryptosystem

a

s

+

=

t

r

a

+

=

u

+

r

t

=

v

Public Key

v

-

u

s

=

+

-

r

a

+

s

r

t

+

-

r

a

s

+

r

a

+

s

+

r

-

s

=

security
Security

a

s

+

=

t

r

a

+

=

u

+

r

t

=

v

Pseudorandom??

learning with errors over rings
Learning With Errors over Rings

a1

s

e1

b1

a2

e2

b2

a3

e3

b3

+

=

am

em

bm

Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x))

decision learning with errors over rings
Decision Learning With Errors over Rings

World 1

World 2

a1

s

b1

a1

b1

a2

b2

a2

b2

a3

b3

a3

b3

+

=

am

bm

am

bm

Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE

slide46

Part 4.1-Element Cryptosystem Based on Learning With Errors over Rings andWorst-Case Ideal Lattice Problems[Stehle, Steinfeld 2011]

number of ring elements
Number of Ring Elements

a

s

+

=

t

r

a

+

=

u

+

r

t

=

v

p

Encryption of m:

u

v

+

m

,

2

Can you have a ciphertext with just 1 ring element?

stehle steinfeld cryptosystem
Stehle, Steinfeld Cryptosystem

“small” coefficients

f

a

u

a

r

+

+

m

mod p

=

=

2

mod p

g

Uniformly random

Pseudorandom based on Ring-LWE

u

g

f

r

+

g

+

g

m

=

2

u

g

mod 2

=

g

m

u

g

mod 2

m

=

g

ntru cryptosystem
NTRU Cryptosystem

f

g

- Very small

f

a

u

a

r

+

+

m

mod p

=

=

2

mod p

g

“looks” random

If a is random, then pseudorandom based on Ring-LWE

u

g

f

r

+

g

+

g

m

=

2

Since f, g are smaller, p can be smaller as well

textbook ntru cryptosystem trap door function
(Textbook) NTRU Cryptosystem / Trap-Door Function

f

g

- Very small

f

a

u

2

a

r

+

m

=

=

mod p

mod p

g

u

g

f

r

+

g

m

=

2

u

g

mod 2

=

g

m

u

g

mod 2

m

=

g