1 / 73

# - PowerPoint PPT Presentation

New Lattice Based Cryptographic Constructions. Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice is a 1 v 1 +…+a n v n for all integer a 1 ,…,a n . What is the shortest vector u ?. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. 3v 1 -4v 2.

Related searches for

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about '' - butch

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

• Basis: v1,…,vn vectors in Rn

• The lattice is a1v1+…+anvn for all integer a1,…,an.

• What is the shortest vector u ?

v1+v2

2v2

2v1

2v2-v1

v1

v2

2v2-2v1

0

3v1-4v2

Lattices – not so easy

v1

v2

0

f(n)

f(n)-unique-SVP (shortest vector problem)

• Promise: the shortest vector u is shorter by a factor of f(n)

• Algorithm for 2n-unique SVP [LLL82,Schnorr87]

• Believed to be hard for any nc

nc

2n

1

easy

believed hard

• Geometric objects with rich structure

• Early work by Gauss 1801, Hermite 1850, Minkowski 1896

• More recent developments:

• LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]

• Factoring rational polynomials

• Solving integer programs in a fixed dimension

• Breaking knapsack cryptosystems

• Ajtai’s average case connection [Ajtai96]

• Lattice based cryptosystems

• From which distribution is the following sequence taken?

478, 21, 431, 897, 150, 701, 929, 232

Uniform?

Prob

1

1000

Prob

Or wavy?

1

1000

• Periodization of the normal distribution

• R=2^(2n2)

• Number of periods is d (usually integer)

• Ratio of period to standard dev. is γ

• distd : {0,…,R-1}  [0,½] is the normalized distance from the nearest peak

d=7

Prob

0

R-1

• For all γ=γ(n), a reduction from

γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

• For all γ=γ(n), a reduction from

γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy

distributions for a non-negligible

fraction of values d in [2^(n2),2•2^(n^2)]

• Public key encryption scheme

• Collision resistant hash function

• A problem in quantum computation

• ‘Standard’ cryptography:

• Usually based on factoring, discrete log, principal ideal problem

• Average case assumption

• Mostly broken by quantum computers

• Lattice based cryptography [Ajtai96,…]:

• Based on lattice problems

• Worst case assumption

• Still not broken by quantum computers

Application 1Public Key Encryption (PKE)

• Consists of private key, public key, encryption and decryption

• The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97]

• Previously, the only lattice based PKE with worst case assumption

• Based on n7-unique Shortest Vector Problem

Application 1Public Key Encryption (PKE)

• We construct a new lattice based PKE from the average-case theorem:

• Very simple description

• Improves Ajtai-Dwork to n1.5-unique Shortest Vector Problem

• Uses integer numbers, very efficient

Application 2Collision Resistant Hash Function

• A function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,

• xy s.t. f(x)=f(y)

• Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02]

• Our construction is

• The first which is not based on Ajtai’s iterative step

• Somewhat stronger (based on n1.5-uSVP)

Application 3 Quantum Computation

• Quantum computers can break cryptography based on factoring [Shor96]

• Based on the HSP on Abelian groups

• What about lattice based cryptography?

Application 3 Quantum Computation

• Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02]

• Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]

• For all γ=γ(n), a reduction from

γn1/2-unique Shortest Vector Problem

to

distinguishing between the uniform distribution and the d,γ-wavy distributions with an integer d<2^(n2)

### Proof of theMain Theorem

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

Reduction to:Decision Problem

• Given a n1.5-unique lattice, and a prime p>n1.5

• Assume the shortest vector is:

u = a1v1+a2v2+…+anvn

• Decide whether a1 is divisible by p

• Idea: decrease the coefficients of the shortest vector

• If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn .

• u is still in the new lattice:

u = (a1/p)•pv1 + a2v2 + … + anvn

• The same can be done whenever p|ai for some i

The Reduction

• But what if p ai for all i ?

• Consider the basis v1,v2-v1,v3,…,vn

• The shortest vector is

u = (a1+a2)v1 + a2(v2-v1)+ a3v3 +… + anvn

• The first coefficient is a1+a2

• Similarly, we can set it to

a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2

• One of them is divisible by p, so we choose it and continue

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

Reduction from:Decision Problem

• Given a n1.5-unique lattice, and a prime p>n1.5

• Assume the shortest vector is:

u = a1v1+a2v2+…+anvn

• Decide whether a1 is divisible by p

Reduction to:Promise Problem

• Given a lattice, distinguish between:

Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

The reduction

• Input: a basis (v1,…,vn) of a n1.5 unique lattice

• Scale the lattice so that the shortest vector is of length 1/n

• Replace v1 by pv1. Let M be the resulting lattice

• If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n

• If p a1 then M has shortest vector more than n

L

1/n

n

-u

0

u

2u

• The lattice M is spanned by pv1,v2,…,vn:

• If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn2M :

M

n

1/n

0

u

|

The lattice M

• The lattice M is spanned by pv1,v2,…,vn:

• If p a1, then u M:

M

n

-pu

0

pu

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

Reduction from:Promise Problem

• Given a lattice, distinguish between:

Case 1. Shortest vector is of length 1/n and all non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

• Distinguish between the distributions:

?

Uniform

Wavy

• Given a lattice L, the dual lattice is

L* = { x | 8y2L, <x,y>2Z }

1/5

L

L*

5

0

0

L*

0

n

0

L* - the dual of L

L

n

Case 1

1/n

0

n

Case 2

• Choose a point randomly from L*

• Perturb it by a Gaussian of radius n

L*

L*+ perturb

0

Case 1

n

Case 2

• Theorem: (using [Banaszczyk’93])

The distribution obtained above depends only on the points in L of distance n from the origin

(up to an exponentially small error)

• Therefore,

Case 1: Determined by multiples of u 

wavy on hyperplanes orthogonal to u

Case 2: Determined by the origin 

uniform

• For a set A in Rn,define:

• Poisson Summation Formula implies:

• Banaszczyk’s theorem:

For any lattice L,

• In Case 2, the distribution obtained is very close to uniform:

• Because:

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

• Distinguish between the distributions

• Given by an oracle that returns points inside a cube of side length 2n

?

Wavy

Uniform

• Distinguish between the distributions:

Uniform:

0

R-1

Wavy:

0

R-1

• First attempt: sample and project to a line

• But then we lose the wavy structure!

• We should project only from points very close to the line

• Use the periodicity of the distribution

• Project on a ‘dense line’ :

• We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1enwhere K is large enough

• The distance between hyperplanes is n

• The sides are of length 2n

• Therefore, we choose K=2O(n)

• Hence, d<O(Kn)=2^(O(n2))

n1.5-Unique-SVP

decision problem

promise problem

n-dim distributions

Main theorem

### From Worst-Case to Average-Case

• Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2)

• For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]

• The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:

• Sample a from the distribution

• Return either a/2 or (a+R)/2 with probability ½

• In general, for any real a1,we can compress d,γ-wavy into ad,γ-wavy

• Notice that compressing preserves the uniform distribution

• We show a reduction from worst-case to average-case

• Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)]

• Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following:

• Choose a in {1,…,2¢2^(n2)} according to a certain distribution

• Compress the distribution by a

• Check the distinguisher’s acceptance probability

• If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’

• Distribution is uniform:

• After compression it is still uniform

• Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a

• Distribution is d,γ-wavy:

• After compression it is in the good range with some probability

• Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences

2^(n2)

2¢2^(n2)

1

d

### Application 1Public Key Encryption Scheme

• Let m=2log2R=4n2

• Private key:

• A real number y chosen uniformly in [2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m)

• Public key:

• Choose integers A={a1,…,am} from the y,γ-wavy distribution with γ=n1+ε

• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)

• Private key: y

• Public key: A={a1,…,am}

• Encryption:

• Bit 0: a number chosen uniformly in {0,…,R-1}

• Bit 1: the sum of a random subset of A mod R

• Decryption of w:

• If disty(w)<1/50 then 1 otherwise 0

• Encryption of the bit 0:

• With probability 96%, disty(Sai)>1/50

• These errors can be avoided

• Encryption of the bit 1:

• For a subset S, with high probability,

disty(Sai)<1/100

• Using Sai < m¢R,

disty(Sai mod R)<1/50

• Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform

• Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences!

Enc(0) ? Enc(1)

public key {a1,…,am}

Enc(0)~

Enc(1)

uniform {a1,…,am}

• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε unique-SVP)

• Proof: Follows from the average-case theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])

### Application 2Collision Resistant Hash Function

• Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then:

• b1,…,bm{0,1},f(b1,…,bm)=Σbiai mod R

• We will see a simpler proof based on n2.5+ε-uSVP

• Assume there exists a collision finding algorithm C

• I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that

• Σaici = 0 (mod R)

• We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C

• Choose z uniformly from {0,…,R-1}

• With probability 0.9, distd(z) > 1/20

• Repeat the following enough times:

• Choose a1,…,am from the unknown distribution

• Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m}

• If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’

• Distribution is uniform:

• a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence

• Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m

• Distribution is d,γ-wavy:

• W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)

• For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2)

• Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0

### Application 3Quantum Computation –The Dihedral HSP

• Given a function that is constant and distinct on cosets of HG, find H

• Solved for Abelian groups

• Also for certain non-Abelian groups [RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…]

• Still open for many groups. In particular:

• Symmetric group

• Dihedral group (ZNZ2)

• Two approaches:

• Ettinger and Høyer ’00

• Reduction to “Period finding from samples”

• R ’02, Kuperberg ‘03

• Reduction to average case subset sum

• Idea of Ettinger and Høyer:

• Reduce to “Hidden Translation on ZN”:

Given an oracle that outputs states of

the form |xi+|x+di where x is arbitrary

and d is fixed, find d

• Take the Fourier transform

• Measure

• Find the period of the following (cos2) distribution by sampling:

• [EH] showed that there is enough information in a polynomial number of samples

• Open question in [EH]: is there an efficient solution to this problem?

R-1

0

• Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution

• Corollary: finding the period of the cos2 distribution is hard

• Proof: Since all cos2 distributions look like uniform, they all look the same

• Main theorem

• Average case form

• Applications

• Strong public key encryption scheme

• Collision resistant hash function

• Solution to an open question in quantum computation

• Other applications?