Loading in 5 sec....

New Lattice Based Cryptographic ConstructionsPowerPoint Presentation

New Lattice Based Cryptographic Constructions

- By
**butch** - Follow User

- 223 Views
- Updated On :

New Lattice Based Cryptographic Constructions. Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice is a 1 v 1 +…+a n v n for all integer a 1 ,…,a n . What is the shortest vector u ?. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. 3v 1 -4v 2.

Related searches for

Download Presentation
## PowerPoint Slideshow about '' - butch

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Proof of theMain Theorem

### Application 1Public Key Encryption Scheme

### Application 2Collision Resistant Hash Function

### Application 3Quantum Computation –The Dihedral HSP

Lattices

- Basis: v1,…,vn vectors in Rn
- The lattice is a1v1+…+anvn for all integer a1,…,an.
- What is the shortest vector u ?

v1+v2

2v2

2v1

2v2-v1

v1

v2

2v2-2v1

0

f(n)

f(n)-unique-SVP (shortest vector problem)- Promise: the shortest vector u is shorter by a factor of f(n)
- Algorithm for 2n-unique SVP [LLL82,Schnorr87]
- Believed to be hard for any nc

nc

2n

1

easy

believed hard

History

- Geometric objects with rich structure
- Early work by Gauss 1801, Hermite 1850, Minkowski 1896
- More recent developments:
- LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]
- Factoring rational polynomials
- Solving integer programs in a fixed dimension
- Breaking knapsack cryptosystems

- Ajtai’s average case connection [Ajtai96]
- Lattice based cryptosystems

- LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]

Question

- From which distribution is the following sequence taken?
478, 21, 431, 897, 150, 701, 929, 232

Uniform?

Prob

1

1000

Prob

Or wavy?

1

1000

The d,γ-wavy Distribution

- Periodization of the normal distribution
- R=2^(2n2)
- Number of periods is d (usually integer)
- Ratio of period to standard dev. is γ
- distd : {0,…,R-1} [0,½] is the normalized distance from the nearest peak

=γ

d=7

Prob

0

R-1

Main Theorem

- For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

Average-case Theorem

- For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy

distributions for a non-negligible

fraction of values d in [2^(n2),2•2^(n^2)]

Applications of Main Theorem

- Public key encryption scheme
- Collision resistant hash function
- A problem in quantum computation

Cryptography

- ‘Standard’ cryptography:
- Usually based on factoring, discrete log, principal ideal problem
- Average case assumption
- Mostly broken by quantum computers

- Lattice based cryptography [Ajtai96,…]:
- Based on lattice problems
- Worst case assumption
- Still not broken by quantum computers

Application 1Public Key Encryption (PKE)

- Consists of private key, public key, encryption and decryption
- The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97]
- Previously, the only lattice based PKE with worst case assumption
- Based on n7-unique Shortest Vector Problem

Application 1Public Key Encryption (PKE)

- We construct a new lattice based PKE from the average-case theorem:
- Very simple description
- Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem
- Uses integer numbers, very efficient

Application 2Collision Resistant Hash Function

- A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,
- xy s.t. f(x)=f(y)

- Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02]
- Our construction is
- The first which is not based on Ajtai’s iterative step
- Somewhat stronger (based on n1.5-uSVP)

Application 3 Quantum Computation

- Quantum computers can break cryptography based on factoring [Shor96]
- Based on the HSP on Abelian groups
- What about lattice based cryptography?

Application 3 Quantum Computation

- Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02]
- Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]

Main Theorem

- For all γ=γ(n), a reduction from
γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

Reduction to:Decision Problem

- Given a n1.5-unique lattice, and a prime p>n1.5
- Assume the shortest vector is:
u = a1v1+a2v2+…+anvn

- Decide whether a1 is divisible by p

The Reduction

- Idea: decrease the coefficients of the shortest vector
- If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn .
- u is still in the new lattice:
u = (a1/p)•pv1 + a2v2 + … + anvn

- The same can be done whenever p|ai for some i

The Reduction

- But what if p ai for all i ?
- Consider the basis v1,v2-v1,v3,…,vn
- The shortest vector is
u = (a1+a2)v1 + a2(v2-v1)+ a3v3 +… + anvn

- The first coefficient is a1+a2
- Similarly, we can set it to
a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2

- One of them is divisible by p, so we choose it and continue

Reduction from:Decision Problem

- Given a n1.5-unique lattice, and a prime p>n1.5
- Assume the shortest vector is:
u = a1v1+a2v2+…+anvn

- Decide whether a1 is divisible by p

Reduction to:Promise Problem

- Given a lattice, distinguish between:
Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

The reduction

- Input: a basis (v1,…,vn) of a n1.5 unique lattice
- Scale the lattice so that the shortest vector is of length 1/n
- Replace v1 by pv1. Let M be the resulting lattice
- If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n
- If p a1 then M has shortest vector more than n

The lattice M

- The lattice M is spanned by pv1,v2,…,vn:
- If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn2M :

M

n

1/n

0

u

Reduction from:Promise Problem

- Given a lattice, distinguish between:
Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

Reduction

- Choose a point randomly from L*
- Perturb it by a Gaussian of radius n

Analyzing the Distribution

- Theorem: (using [Banaszczyk’93])
The distribution obtained above depends only on the points in L of distance n from the origin

(up to an exponentially small error)

- Therefore,
Case 1: Determined by multiples of u

wavy on hyperplanes orthogonal to u

Case 2: Determined by the origin

uniform

Proof of Theorem

- For a set A in Rn,define:
- Poisson Summation Formula implies:
- Banaszczyk’s theorem:
For any lattice L,

Proof of Theorem (cont.)

- In Case 2, the distribution obtained is very close to uniform:
- Because:

Proof Outline

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

n-dimensional distributions

- Distinguish between the distributions
- Given by an oracle that returns points inside a cube of side length 2n

?

Wavy

Uniform

Reducing to 1-dimension

- First attempt: sample and project to a line

Reducing to 1-dimension

- But then we lose the wavy structure!
- We should project only from points very close to the line

The solution

- Use the periodicity of the distribution
- Project on a ‘dense line’ :

The solution

- We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1enwhere K is large enough
- The distance between hyperplanes is n
- The sides are of length 2n
- Therefore, we choose K=2O(n)
- Hence, d<O(Kn)=2^(O(n2))

Worst-case vs. Average-case

- Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2)
- For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]

Compressing

- The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:
- Sample a from the distribution
- Return either a/2 or (a+R)/2 with probability ½

- In general, for any real a1,we can compress d,γ-wavy into ad,γ-wavy
- Notice that compressing preserves the uniform distribution
- We show a reduction from worst-case to average-case

Reduction

- Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)]
- Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following:
- Choose a in {1,…,2¢2^(n2)} according to a certain distribution
- Compress the distribution by a
- Check the distinguisher’s acceptance probability

- If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’

Reduction

- Distribution is uniform:
- After compression it is still uniform
- Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a

- Distribution is d,γ-wavy:
- After compression it is in the good range with some probability
- Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences

2^(n2)

2¢2^(n2)

1

…

…

d

PKE – Description

- Let m=2log2R=4n2
- Private key:
- A real number y chosen uniformly in [2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m)

- Public key:
- Choose integers A={a1,…,am} from the y,γ-wavy distribution with γ=n1+ε

- Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)

PKE – Description (cont.)

- Private key: y
- Public key: A={a1,…,am}
- Encryption:
- Bit 0: a number chosen uniformly in {0,…,R-1}
- Bit 1: the sum of a random subset of A mod R

- Decryption of w:
- If disty(w)<1/50 then 1 otherwise 0

PKE – Correctness

- Encryption of the bit 0:
- With probability 96%, disty(Sai)>1/50
- These errors can be avoided

- Encryption of the bit 1:
- For a subset S, with high probability,
disty(Sai)<1/100

- Using Sai < m¢R,
disty(Sai mod R)<1/50

- For a subset S, with high probability,

PKE - Security

- Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform
- Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences!

Enc(0) ? Enc(1)

public key {a1,…,am}

Enc(0)~

Enc(1)

uniform {a1,…,am}

PKE – Security

- Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)
- Proof: Follows from the average-case theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])

Collision Resistant Hash Function

- Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then:
- b1,…,bm{0,1},f(b1,…,bm)=Σbiai mod R

- We will see a simpler proof based on n2.5+ε-uSVP

Collision Resistant Hash Function

- Assume there exists a collision finding algorithm C
- I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that
- Σaici = 0 (mod R)

Collision Resistant Hash Function

- We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C
- Choose z uniformly from {0,…,R-1}
- With probability 0.9, distd(z) > 1/20
- Repeat the following enough times:
- Choose a1,…,am from the unknown distribution
- Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m}

- If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’

Correctness

- Distribution is uniform:
- a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence
- Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m

- Distribution is d,γ-wavy:
- W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)
- For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2)
- Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0

Hidden Subgroup Problem

- Given a function that is constant and distinct on cosets of HG, find H
- Solved for Abelian groups
- Also for certain non-Abelian groups [RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…]
- Still open for many groups. In particular:
- Symmetric group
- Dihedral group (ZNZ2)

Solving Dihedral HSP

- Two approaches:
- Ettinger and Høyer ’00
- Reduction to “Period finding from samples”

- R ’02, Kuperberg ‘03
- Reduction to average case subset sum

Solving Dihedral HSP

- Idea of Ettinger and Høyer:
- Reduce to “Hidden Translation on ZN”:
Given an oracle that outputs states of

the form |xi+|x+di where x is arbitrary

and d is fixed, find d

- Take the Fourier transform
- Measure

- Reduce to “Hidden Translation on ZN”:

Period Finding from Samples

- Find the period of the following (cos2) distribution by sampling:
- [EH] showed that there is enough information in a polynomial number of samples
- Open question in [EH]: is there an efficient solution to this problem?

R-1

0

Reduction

- Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution

Reduction

- Corollary: finding the period of the cos2 distribution is hard
- Proof: Since all cos2 distributions look like uniform, they all look the same

Conclusion

- Main theorem
- Average case form
- Applications
- Strong public key encryption scheme
- Collision resistant hash function
- Solution to an open question in quantum computation

- Other applications?

Download Presentation

Connecting to Server..