New Lattice Based Cryptographic Constructions - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

New Lattice Based Cryptographic Constructions

Description:

Basis: v1,...,vn vectors in Rn. The lattice is a1v1 ... anvn ... Poisson Summation Formula implies: Banaszczyk's theorem: For any lattice L, Proof of Theorem ... – PowerPoint PPT presentation

Number of Views:283
Avg rating:3.0/5.0
Slides: 74
Provided by: Reg141
Category:

less

Transcript and Presenter's Notes

Title: New Lattice Based Cryptographic Constructions


1
New Lattice Based Cryptographic Constructions
Oded Regev
2
Lattices
  • Basis v1,,vn vectors in Rn
  • The lattice is a1v1anvn for all integer
    a1,,an.
  • What is the shortest vector u ?

v1v2
2v2
2v1
2v2-v1
v1
v2
2v2-2v1
0
3
Lattices not so easy
v1
v2
0
4
f(n)-unique-SVP (shortest vector problem)
  • Promise the shortest vector u is shorter by a
    factor of f(n)
  • Algorithm for 2n-unique SVP LLL82,Schnorr87
  • Believed to be hard for any nc

2n
nc
1
believed hard
easy
5
History
  • Geometric objects with rich structure
  • Early work by Gauss 1801, Hermite 1850, Minkowski
    1896
  • More recent developments
  • LLL Algorithm - approximates the shortest vector
    in a lattice LenstraLenstraLovàsz82
  • Factoring rational polynomials
  • Solving integer programs in a fixed dimension
  • Breaking knapsack cryptosystems
  • Ajtais average case connection Ajtai96
  • Lattice based cryptosystems

6
Question
  • From which distribution is the following sequence
    taken?
  • 478, 21, 431, 897, 150, 701, 929, 232

Uniform?
Prob
1
1000
Prob
Or wavy?
1
1000
7
The d,?-wavy Distribution
  • Periodization of the normal distribution
  • R2(2n2)
  • Number of periods is d (usually integer)
  • Ratio of period to standard dev. is ?
  • distd 0,,R-1 ? 0,½ is the normalized
    distance from the nearest peak

?
d7
Prob
0
R-1
8
Main Theorem
  • For all ??(n), a reduction from
  • ?n1/2-unique Shortest Vector Problem
  • to
  • distinguishing between the uniform
    distribution and the d,?-wavy distributions
    with an integer dlt2(n2)

9
Average-case Theorem
  • For all ??(n), a reduction from
  • ?n1/2-unique Shortest Vector Problem
  • to
  • distinguishing between the uniform
    distribution and the d,?-wavy
  • distributions for a non-negligible
  • fraction of values d in 2(n2),22(n2)

10
Applications of Main Theorem
  • Public key encryption scheme
  • Collision resistant hash function
  • A problem in quantum computation

11
Cryptography
  • Standard cryptography
  • Usually based on factoring, discrete log,
    principal ideal problem
  • Average case assumption
  • Mostly broken by quantum computers
  • Lattice based cryptography Ajtai96,
  • Based on lattice problems
  • Worst case assumption
  • Still not broken by quantum computers

12
Application 1Public Key Encryption (PKE)
  • Consists of private key, public key, encryption
    and decryption
  • The Ajtai-Dwork cryptosystem AjtaiDwork96,Goldrei
    chGoldwasserHalevi97
  • Previously, the only lattice based PKE with worst
    case assumption
  • Based on n7-unique Shortest Vector Problem

13
Application 1Public Key Encryption (PKE)
  • We construct a new lattice based PKE from the
    average-case theorem
  • Very simple description
  • Improves Ajtai-Dwork to n1.5-unique Shortest
    Vector Problem
  • Uses integer numbers, very efficient

14
Application 2Collision Resistant Hash Function
  • A function f0,1r?0,1s with rgts such that it
    is hard to find collisions, i.e.,
  • x?y s.t. f(x)f(y)
  • Many previous constructions Ajtai96,
    GoldreichGoldwasserHalevi96, CaiNerurkar97,
    Cai99, Micciancio02, Micciancio02
  • Our construction is
  • The first which is not based on Ajtais iterative
    step
  • Somewhat stronger (based on n1.5-uSVP)

15
Application 3 Quantum Computation
  • Quantum computers can break cryptography based on
    factoring Shor96
  • Based on the HSP on Abelian groups
  • What about lattice based cryptography?

16
Application 3 Quantum Computation
  • Lattice based cryptography can be broken using
    the HSP on Dihedral groups R02
  • Our main theorem explains the failure of previous
    attempts to solve the HSP on Dihedral groups
    EttingerHoyer00

17
Main Theorem
  • For all ??(n), a reduction from
  • ?n1/2-unique Shortest Vector Problem
  • to
  • distinguishing between the uniform
    distribution and the d,?-wavy distributions
    with an integer dlt2(n2)

18
Proof of theMain Theorem
19
Proof Outline
n1.5-Unique-SVP
decision problem
promise problem
n-dim distributions
Main theorem
20
Reduction toDecision Problem
  • Given a n1.5-unique lattice, and a prime pgtn1.5
  • Assume the shortest vector is
  • u a1v1a2v2anvn
  • Decide whether a1 is divisible by p

21
The Reduction
  • Idea decrease the coefficients of the shortest
    vector
  • If we find out that pa1 then we can replace the
    basis with pv1,v2,,vn .
  • u is still in the new lattice
  • u (a1/p)pv1 a2v2 anvn
  • The same can be done whenever pai for some i

22
The Reduction
  • But what if p ai for all i ?
  • Consider the basis v1,v2-v1,v3,,vn
  • The shortest vector is
  • u (a1a2)v1 a2(v2-v1) a3v3 anvn
  • The first coefficient is a1a2
  • Similarly, we can set it to
  • a1-bp/2ca2 ,, a1-a2 , a1 , a1a2 , ,
    a1bp/2ca2
  • One of them is divisible by p, so we choose it
    and continue

23
Proof Outline
n1.5-Unique-SVP
?
decision problem
promise problem
n-dim distributions
Main theorem
24
Reduction fromDecision Problem
  • Given a n1.5-unique lattice, and a prime pgtn1.5
  • Assume the shortest vector is
  • u a1v1a2v2anvn
  • Decide whether a1 is divisible by p

25
Reduction toPromise Problem
  • Given a lattice, distinguish between
  • Case 1. Shortest vector is of length 1/n and all
    non-parallel vectors are of length more than ?n
  • Case 2. Shortest vector is of length more than ?n

26
The reduction
  • Input a basis (v1,,vn) of a n1.5 unique lattice
  • Scale the lattice so that the shortest vector is
    of length 1/n
  • Replace v1 by pv1. Let M be the resulting lattice
  • If p a1 then M has shortest vector 1/n and all
    non-parallel vectors more than ?n
  • If p a1 then M has shortest vector more than ?n

27
The input lattice L
L
1/n
?n
-u
0
u
2u
28
The lattice M
  • The lattice M is spanned by pv1,v2,,vn
  • If pa1, then u (a1/p)pv1 a2v2 anvn 2M

M
?n
1/n
0
u
29
The lattice M
  • The lattice M is spanned by pv1,v2,,vn
  • If p a1, then u M

M
?n
-pu
0
pu
30
Proof Outline
n1.5-Unique-SVP
?
decision problem
?
promise problem
n-dim distributions
Main theorem
31
Reduction fromPromise Problem
  • Given a lattice, distinguish between
  • Case 1. Shortest vector is of length 1/n and all
    non-parallel vectors are of length more than ?n
  • Case 2. Shortest vector is of length more than ?n

32
n-dimensional distributions
  • Distinguish between the distributions

?
Uniform
Wavy
33
Dual Lattice
  • Given a lattice L, the dual lattice is
  • L x 8y2L, ltx,ygt2Z

1/5
L
L
5
0
0
34
L - the dual of L
L
?n
Case 1
1/n
0
?n
Case 2
35
Reduction
  • Choose a point randomly from L
  • Perturb it by a Gaussian of radius ?n

36
Creating the Distribution
L
L perturb
0
Case 1
n
Case 2
37
Analyzing the Distribution
  • Theorem (using Banaszczyk93)
  • The distribution obtained above depends only on
    the points in L of distance ?n from the origin
  • (up to an exponentially small error)
  • Therefore,
  • Case 1 Determined by multiples of u ?
  • wavy on hyperplanes orthogonal to u
  • Case 2 Determined by the origin ?
  • uniform

38
Proof of Theorem
  • For a set A in Rn, define
  • Poisson Summation Formula implies
  • Banaszczyks theorem
  • For any lattice L,

39
Proof of Theorem (cont.)
  • In Case 2, the distribution obtained is very
    close to uniform
  • Because

40
Proof Outline
n1.5-Unique-SVP
?
decision problem
?
promise problem
?
n-dim distributions
Main theorem
41
n-dimensional distributions
  • Distinguish between the distributions
  • Given by an oracle that returns points inside a
    cube of side length 2n

?
Wavy
Uniform
42
Main Theorem
  • Distinguish between the distributions

Uniform
0
R-1
Wavy
0
R-1
43
Reducing to 1-dimension
  • First attempt sample and project to a line

44
Reducing to 1-dimension
  • But then we lose the wavy structure!
  • We should project only from points very close to
    the line

45
The solution
  • Use the periodicity of the distribution
  • Project on a dense line

46
The solution
47
The solution
  • We choose the line that connects the origin to
    e1Ke2K2e3Kn-1en where K is large enough
  • The distance between hyperplanes is n
  • The sides are of length 2n
  • Therefore, we choose K2O(n)
  • Hence, dltO(Kn)2(O(n2))

48
Done
n1.5-Unique-SVP
?
decision problem
?
promise problem
?
n-dim distributions
?
Main theorem
49
From Worst-Case to Average-Case
50
Worst-case vs. Average-case
  • Main theorem presents a problem that is hard in
    the worst-case distinguish between uniform and
    d,?-wavy distributions for all integers dlt2(n2)
  • For cryptographic applications, we would like to
    have a problem that is hard on the average
    distinguish between uniform and d,?-wavy
    distributions for a non-negligible fraction of d
    in 2(n2), 22(n2)

51
Compressing
  • The following procedure transforms d,?-wavy into
    2d,?-wavy for all integer d
  • Sample a from the distribution
  • Return either a/2 or (aR)/2 with probability ½
  • In general, for any real a?1, we can compress
    d,?-wavy into ad,?-wavy
  • Notice that compressing preserves the uniform
    distribution
  • We show a reduction from worst-case to
    average-case

52
Reduction
  • Assume there exists a distinguisher between
    uniform and d,?-wavy distribution for some
    non-negligible fraction of d in 2(n2),
    22(n2)
  • Given either a uniform or a d,?-wavy distribution
    for some integer dlt2(n2) repeat the following
  • Choose a in 1,,22(n2) according to a certain
    distribution
  • Compress the distribution by a
  • Check the distinguishers acceptance probability
  • If for some a the acceptance probability differs
    from that of uniform sequences, return wavy
    otherwise, return uniform

53
Reduction
  • Distribution is uniform
  • After compression it is still uniform
  • Hence, the distinguishers acceptance probability
    equals that of uniform sequences for all a
  • Distribution is d,?-wavy
  • After compression it is in the good range with
    some probability
  • Hence, for some a, the distinguishers
    acceptance probability differs from that of
    uniform sequences

2(n2)
22(n2)
1


d
54
Application 1Public Key Encryption Scheme
55
PKE Description
  • Let m2log2R4n2
  • Private key
  • A real number y chosen uniformly in
    2(n2),22(n2) such that y is close to an
    integer (?1/100m)
  • Public key
  • Choose integers Aa1,,am from the y,?-wavy
    distribution with ?n1e
  • Lemma Public keys are indistinguishable from
    uniform sequences (based on n1.5e unique-SVP)

56
PKE Description (cont.)
  • Private key y
  • Public key Aa1,,am
  • Encryption
  • Bit 0 a number chosen uniformly in 0,,R-1
  • Bit 1 the sum of a random subset of A mod R
  • Decryption of w
  • If disty(w)lt1/50 then 1 otherwise 0

57
PKE Correctness
  • Encryption of the bit 0
  • With probability 96, disty(?Sai)gt1/50
  • These errors can be avoided
  • Encryption of the bit 1
  • For a subset S, with high probability,
  • disty(?Sai)lt1/100
  • Using ?Sai lt mR,
  • disty(?Sai mod R)lt1/50

58
PKE - Security
  • Lemma If a1,,am is a uniform sequence then
    both encryptions of 0 and of 1 are uniform
  • Hence, distinguishing between encryptions of 0
    and 1 implies distinguishing between public keys
    and uniform sequences!

Enc(0) ? Enc(1)
public key a1,,am
Enc(0) Enc(1)
uniform a1,,am
59
PKE Security
  • Lemma Public keys are indistinguishable from
    uniform sequences (based on n1.5e unique-SVP)
  • Proof Follows from the average-case theorem
    (since we choose y from a set of size 1/(50m) of
    all 2(n2),22(n2))

60
Application 2Collision Resistant Hash Function
61
Collision Resistant Hash Function
  • Choose a1,,am uniformly in 0,,R-1 where
    m2log2R4n2. Then
  • ?b1,,bm?0,1, f(b1,,bm)Sbiai mod R
  • We will see a simpler proof based on n2.5e-uSVP

62
Collision Resistant Hash Function
  • Assume there exists a collision finding algorithm
    C
  • I.e., with non-negligible probability, given
    a1,,am chosen uniformly, C finds c1,,cm?-1,
    0,1 (not all zero) such that
  • Saici 0 (mod R)

63
Collision Resistant Hash Function
  • We show how to distinguish between the uniform
    and the d,?-wavy with ?n2e using C
  • Choose z uniformly from 0,,R-1
  • With probability 0.9, distd(z) gt 1/20
  • Repeat the following enough times
  • Choose a1,,am from the unknown distribution
  • Call C with a1,,ak-1,(akz mod R),ak1,,am
    where k is chosen uniformly from 1,,m
  • If ck is always zero or C keeps failing, say
    wavy otherwise uniform

64
Correctness
  • Distribution is uniform
  • a1,,ak-1,(akz mod R),ak1,,am has the same
    distribution as a uniform sequence
  • Therefore, C answers with non-negligible
    probability and ck?0 with probability at least
    1/m
  • Distribution is d,?-wavy
  • W.h.p., ?i?1,,m, distd(ai) lt 1/(100n2)
  • For all c1,,cm?-1,0,1, distd(Sciai) lt 1/25
    (since m4n2)
  • Therefore, if z has distd(z) gt 1/20 then it can
    never be included in the sum, i.e., ck0

65
Application 3Quantum Computation The Dihedral
HSP
66
Hidden Subgroup Problem
  • Given a function that is constant and distinct on
    cosets of H?G, find H
  • Solved for Abelian groups
  • Also for certain non-Abelian groups
    RöttelerBeth98,HallgrenRussellTashma00,GrigniSc
    hulmanVaziraniVazirani01
  • Still open for many groups. In particular
  • Symmetric group
  • Dihedral group (ZN?Z2)

67
Solving Dihedral HSP
  • Two approaches
  • Ettinger and Høyer 00
  • Reduction to Period finding from samples
  • R 02, Kuperberg 03
  • Reduction to average case subset sum

68
Solving Dihedral HSP
  • Idea of Ettinger and Høyer
  • Reduce to Hidden Translation on ZN
  • Given an oracle that outputs states of
  • the form xixdi where x is arbitrary
  • and d is fixed, find d
  • Take the Fourier transform
  • Measure

69
Period Finding from Samples
  • Find the period of the following (cos2)
    distribution by sampling
  • EH showed that there is enough information in a
    polynomial number of samples
  • Open question in EH is there an efficient
    solution to this problem?

R-1
0
70
Reduction
  • Lemma A distinguisher between cos2 and the
    uniform distribution implies a distinguisher
    between the wavy and uniform distribution

71
Guess the period and add noise
72
Reduction
  • Corollary finding the period of the cos2
    distribution is hard
  • Proof Since all cos2 distributions look like
    uniform, they all look the same

73
Conclusion
  • Main theorem
  • Average case form
  • Applications
  • Strong public key encryption scheme
  • Collision resistant hash function
  • Solution to an open question in quantum
    computation
  • Other applications?
Write a Comment
User Comments (0)
About PowerShow.com