New Lattice Based Cryptographic Constructions
Download
1 / 73

- PowerPoint PPT Presentation


  • 223 Views
  • Updated On :

New Lattice Based Cryptographic Constructions. Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice is a 1 v 1 +…+a n v n for all integer a 1 ,…,a n . What is the shortest vector u ?. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. 3v 1 -4v 2.

Related searches for

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - butch


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Lattices l.jpg
Lattices

  • Basis: v1,…,vn vectors in Rn

  • The lattice is a1v1+…+anvn for all integer a1,…,an.

  • What is the shortest vector u ?

v1+v2

2v2

2v1

2v2-v1

v1

v2

2v2-2v1

0


Lattices not so easy l.jpg

3v1-4v2

Lattices – not so easy

v1

v2

0


F n unique svp shortest vector problem l.jpg

1

f(n)

f(n)-unique-SVP (shortest vector problem)

  • Promise: the shortest vector u is shorter by a factor of f(n)

  • Algorithm for 2n-unique SVP [LLL82,Schnorr87]

  • Believed to be hard for any nc

nc

2n

1

easy

believed hard


History l.jpg
History

  • Geometric objects with rich structure

  • Early work by Gauss 1801, Hermite 1850, Minkowski 1896

  • More recent developments:

    • LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]

      • Factoring rational polynomials

      • Solving integer programs in a fixed dimension

      • Breaking knapsack cryptosystems

    • Ajtai’s average case connection [Ajtai96]

      • Lattice based cryptosystems


Question l.jpg
Question

  • From which distribution is the following sequence taken?

    478, 21, 431, 897, 150, 701, 929, 232

Uniform?

Prob

1

1000

Prob

Or wavy?

1

1000


The d wavy distribution l.jpg
The d,γ-wavy Distribution

  • Periodization of the normal distribution

  • R=2^(2n2)

  • Number of periods is d (usually integer)

  • Ratio of period to standard dev. is γ

  • distd : {0,…,R-1}  [0,½] is the normalized distance from the nearest peak

d=7

Prob

0

R-1


Main theorem l.jpg
Main Theorem

  • For all γ=γ(n), a reduction from

    γn1/2-unique Shortest Vector Problem

    to

    distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)


Average case theorem l.jpg
Average-case Theorem

  • For all γ=γ(n), a reduction from

    γn1/2-unique Shortest Vector Problem

    to

    distinguishing between the uniform distribution and the d,γ-wavy

    distributions for a non-negligible

    fraction of values d in [2^(n2),2•2^(n^2)]


Applications of main theorem l.jpg
Applications of Main Theorem

  • Public key encryption scheme

  • Collision resistant hash function

  • A problem in quantum computation


Cryptography l.jpg
Cryptography

  • ‘Standard’ cryptography:

    • Usually based on factoring, discrete log, principal ideal problem

    • Average case assumption

    • Mostly broken by quantum computers

  • Lattice based cryptography [Ajtai96,…]:

    • Based on lattice problems

    • Worst case assumption

    • Still not broken by quantum computers


Application 1 public key encryption pke l.jpg
Application 1Public Key Encryption (PKE)

  • Consists of private key, public key, encryption and decryption

  • The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97]

    • Previously, the only lattice based PKE with worst case assumption

    • Based on n7-unique Shortest Vector Problem


Application 1 public key encryption pke13 l.jpg
Application 1Public Key Encryption (PKE)

  • We construct a new lattice based PKE from the average-case theorem:

    • Very simple description

    • Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem

    • Uses integer numbers, very efficient


Application 2 collision resistant hash function l.jpg
Application 2Collision Resistant Hash Function

  • A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,

    • xy s.t. f(x)=f(y)

  • Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02]

  • Our construction is

    • The first which is not based on Ajtai’s iterative step

    • Somewhat stronger (based on n1.5-uSVP)


Application 3 quantum computation l.jpg
Application 3 Quantum Computation

  • Quantum computers can break cryptography based on factoring [Shor96]

  • Based on the HSP on Abelian groups

  • What about lattice based cryptography?


Application 3 quantum computation16 l.jpg
Application 3 Quantum Computation

  • Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02]

  • Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]


Main theorem17 l.jpg
Main Theorem

  • For all γ=γ(n), a reduction from

    γn1/2-unique Shortest Vector Problem

    to

    distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)


Proof of the main theorem l.jpg

Proof of theMain Theorem


Proof outline l.jpg
Proof Outline

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem


Reduction to decision problem l.jpg
Reduction to:Decision Problem

  • Given a n1.5-unique lattice, and a prime p>n1.5

  • Assume the shortest vector is:

    u = a1v1+a2v2+…+anvn

  • Decide whether a1 is divisible by p


The reduction l.jpg
The Reduction

  • Idea: decrease the coefficients of the shortest vector

  • If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn .

  • u is still in the new lattice:

    u = (a1/p)•pv1 + a2v2 + … + anvn

  • The same can be done whenever p|ai for some i


The reduction22 l.jpg

|

The Reduction

  • But what if p ai for all i ?

  • Consider the basis v1,v2-v1,v3,…,vn

  • The shortest vector is

    u = (a1+a2)v1 + a2(v2-v1)+ a3v3 +… + anvn

  • The first coefficient is a1+a2

  • Similarly, we can set it to

    a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2

  • One of them is divisible by p, so we choose it and continue


Proof outline23 l.jpg
Proof Outline

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem


Reduction from decision problem l.jpg
Reduction from:Decision Problem

  • Given a n1.5-unique lattice, and a prime p>n1.5

  • Assume the shortest vector is:

    u = a1v1+a2v2+…+anvn

  • Decide whether a1 is divisible by p


Reduction to promise problem l.jpg
Reduction to:Promise Problem

  • Given a lattice, distinguish between:

    Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

    Case 2. Shortest vector is of length more than n


The reduction26 l.jpg

|

The reduction

  • Input: a basis (v1,…,vn) of a n1.5 unique lattice

  • Scale the lattice so that the shortest vector is of length 1/n

  • Replace v1 by pv1. Let M be the resulting lattice

  • If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n

  • If p a1 then M has shortest vector more than n


The input lattice l l.jpg
The input lattice L

L

1/n

n

-u

0

u

2u


The lattice m l.jpg
The lattice M

  • The lattice M is spanned by pv1,v2,…,vn:

  • If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn2M :

M

n

1/n

0

u


The lattice m29 l.jpg

2

|

The lattice M

  • The lattice M is spanned by pv1,v2,…,vn:

  • If p a1, then u M:

M

n

-pu

0

pu


Proof outline30 l.jpg
Proof Outline

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem


Reduction from promise problem l.jpg
Reduction from:Promise Problem

  • Given a lattice, distinguish between:

    Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

    Case 2. Shortest vector is of length more than n


N dimensional distributions l.jpg
n-dimensional distributions

  • Distinguish between the distributions:

?

Uniform

Wavy


Dual lattice l.jpg
Dual Lattice

  • Given a lattice L, the dual lattice is

    L* = { x | 8y2L, <x,y>2Z }

1/5

L

L*

5

0

0


L the dual of l l.jpg

L*

0

n

0

L* - the dual of L

L

n

Case 1

1/n

0

n

Case 2


Reduction l.jpg
Reduction

  • Choose a point randomly from L*

  • Perturb it by a Gaussian of radius n


Creating the distribution l.jpg
Creating the Distribution

L*

L*+ perturb

0

Case 1

n

Case 2


Analyzing the distribution l.jpg
Analyzing the Distribution

  • Theorem: (using [Banaszczyk’93])

    The distribution obtained above depends only on the points in L of distance n from the origin

    (up to an exponentially small error)

  • Therefore,

    Case 1: Determined by multiples of u 

    wavy on hyperplanes orthogonal to u

    Case 2: Determined by the origin 

    uniform


Proof of theorem l.jpg
Proof of Theorem

  • For a set A in Rn,define:

  • Poisson Summation Formula implies:

  • Banaszczyk’s theorem:

    For any lattice L,


Proof of theorem cont l.jpg
Proof of Theorem (cont.)

  • In Case 2, the distribution obtained is very close to uniform:

  • Because:


Proof outline40 l.jpg
Proof Outline

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem


N dimensional distributions41 l.jpg
n-dimensional distributions

  • Distinguish between the distributions

  • Given by an oracle that returns points inside a cube of side length 2n

?

Wavy

Uniform


Main theorem42 l.jpg
Main Theorem

  • Distinguish between the distributions:

Uniform:

0

R-1

Wavy:

0

R-1


Reducing to 1 dimension l.jpg
Reducing to 1-dimension

  • First attempt: sample and project to a line


Reducing to 1 dimension44 l.jpg
Reducing to 1-dimension

  • But then we lose the wavy structure!

  • We should project only from points very close to the line


The solution l.jpg
The solution

  • Use the periodicity of the distribution

  • Project on a ‘dense line’ :



The solution47 l.jpg
The solution

  • We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1enwhere K is large enough

  • The distance between hyperplanes is n

  • The sides are of length 2n

  • Therefore, we choose K=2O(n)

  • Hence, d<O(Kn)=2^(O(n2))


Slide48 l.jpg
Done

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem



Worst case vs average case l.jpg
Worst-case vs. Average-case

  • Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2)

  • For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]


Compressing l.jpg
Compressing

  • The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:

    • Sample a from the distribution

    • Return either a/2 or (a+R)/2 with probability ½

  • In general, for any real a1,we can compress d,γ-wavy into ad,γ-wavy

  • Notice that compressing preserves the uniform distribution

  • We show a reduction from worst-case to average-case


Reduction52 l.jpg
Reduction

  • Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)]

  • Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following:

    • Choose a in {1,…,2¢2^(n2)} according to a certain distribution

    • Compress the distribution by a

    • Check the distinguisher’s acceptance probability

  • If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’


Reduction53 l.jpg
Reduction

  • Distribution is uniform:

    • After compression it is still uniform

    • Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a

  • Distribution is d,γ-wavy:

    • After compression it is in the good range with some probability

    • Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences

2^(n2)

2¢2^(n2)

1

d


Application 1 public key encryption scheme l.jpg

Application 1Public Key Encryption Scheme


Pke description l.jpg
PKE – Description

  • Let m=2log2R=4n2

  • Private key:

    • A real number y chosen uniformly in [2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m)

  • Public key:

    • Choose integers A={a1,…,am} from the y,γ-wavy distribution with γ=n1+ε

  • Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)


Pke description cont l.jpg
PKE – Description (cont.)

  • Private key: y

  • Public key: A={a1,…,am}

  • Encryption:

    • Bit 0: a number chosen uniformly in {0,…,R-1}

    • Bit 1: the sum of a random subset of A mod R

  • Decryption of w:

    • If disty(w)<1/50 then 1 otherwise 0


Pke correctness l.jpg
PKE – Correctness

  • Encryption of the bit 0:

    • With probability 96%, disty(Sai)>1/50

    • These errors can be avoided

  • Encryption of the bit 1:

    • For a subset S, with high probability,

      disty(Sai)<1/100

    • Using Sai < m¢R,

      disty(Sai mod R)<1/50


Pke security l.jpg
PKE - Security

  • Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform

  • Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences!

Enc(0) ? Enc(1)

public key {a1,…,am}

Enc(0)~

Enc(1)

uniform {a1,…,am}


Pke security59 l.jpg
PKE – Security

  • Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)

  • Proof: Follows from the average-case theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])


Application 2 collision resistant hash function60 l.jpg

Application 2Collision Resistant Hash Function


Collision resistant hash function l.jpg
Collision Resistant Hash Function

  • Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then:

    • b1,…,bm{0,1},f(b1,…,bm)=Σbiai mod R

  • We will see a simpler proof based on n2.5+ε-uSVP


Collision resistant hash function62 l.jpg
Collision Resistant Hash Function

  • Assume there exists a collision finding algorithm C

  • I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that

  • Σaici = 0 (mod R)


Collision resistant hash function63 l.jpg
Collision Resistant Hash Function

  • We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C

  • Choose z uniformly from {0,…,R-1}

  • With probability 0.9, distd(z) > 1/20

  • Repeat the following enough times:

    • Choose a1,…,am from the unknown distribution

    • Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m}

  • If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’


Correctness l.jpg
Correctness

  • Distribution is uniform:

    • a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence

    • Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m

  • Distribution is d,γ-wavy:

    • W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)

    • For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2)

    • Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0


Application 3 quantum computation the dihedral hsp l.jpg

Application 3Quantum Computation –The Dihedral HSP


Hidden subgroup problem l.jpg
Hidden Subgroup Problem

  • Given a function that is constant and distinct on cosets of HG, find H

  • Solved for Abelian groups

  • Also for certain non-Abelian groups [RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…]

  • Still open for many groups. In particular:

    • Symmetric group

    • Dihedral group (ZNZ2)


Solving dihedral hsp l.jpg
Solving Dihedral HSP

  • Two approaches:

  • Ettinger and Høyer ’00

    • Reduction to “Period finding from samples”

  • R ’02, Kuperberg ‘03

    • Reduction to average case subset sum


Solving dihedral hsp68 l.jpg
Solving Dihedral HSP

  • Idea of Ettinger and Høyer:

    • Reduce to “Hidden Translation on ZN”:

      Given an oracle that outputs states of

      the form |xi+|x+di where x is arbitrary

      and d is fixed, find d

    • Take the Fourier transform

    • Measure


Period finding from samples l.jpg
Period Finding from Samples

  • Find the period of the following (cos2) distribution by sampling:

  • [EH] showed that there is enough information in a polynomial number of samples

  • Open question in [EH]: is there an efficient solution to this problem?

R-1

0


Reduction70 l.jpg
Reduction

  • Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution



Reduction72 l.jpg
Reduction

  • Corollary: finding the period of the cos2 distribution is hard

  • Proof: Since all cos2 distributions look like uniform, they all look the same


Conclusion l.jpg
Conclusion

  • Main theorem

  • Average case form

  • Applications

    • Strong public key encryption scheme

    • Collision resistant hash function

    • Solution to an open question in quantum computation

  • Other applications?


ad