Lattice-Based Cryptography

1

• Lattice-Based Cryptography

2
Lattice Problems
Worst-Case
Average-Case
Learning With Errors Problem (LWE)
Small Integer Solution Problem (SIS)
One-Way Functions Collision-Resistant Hash
Functions Digital Signatures Identification
Schemes (Minicrypt)
Public Key Encryption Oblivious
Transfer Identity-Based Encryption Hierarchical
Identity-Based Encryption (Cryptomania)
3
Learning With Errors Problem
Find the secret s

a1, b1lta1,sgte1 a2, b2lta2,sgte2
s is chosen randomly in Zqn ai are chosen
randomly from Zqn ei are small elements in Zq
4
(Decisional) Learning With Errors Problem
Distinguish between these two distributions

Oracle 1
Oracle 2
a1, b1lta1,sgte1 a2, b2lta2,sgte2
a1, b1 a2, b2
s is chosen randomly in Zqn ai are chosen
randomly from Zqn ei are small elements in Zq
ai are chosen randomly from Zqn bi are chosen
randomly from Zq
5
LWE lt d-LWE
v, g guess for ltv,sgt if g ltv,sgt, then we
will produce Oracle 1 distribution if g ? ltv,sgt,
then we will produce Oracle 2 distribution Use
distinguisher to tell us whether the guess for
ltv,sgt was correct can set v(1,0,...,0) then
(0,1,0,...,0) ,... to recover all the bits of s
(a, b)(a,lta,sgte)
pick random r in Zq (arv, brg)(arv,lta,sgterg)
if gltv,sgt, then (arv, brg)(arv,lta,sgterltv,s
gt) (arv,ltarv,sgte)
6
LWE lt d-LWE
v, g guess for ltv,sgt if g ltv,sgt, then we
will produce Oracle 1 distribution if g ? ltv,sgt,
then we will produce Oracle 2 distribution Use
distinguisher to tell us whether the guess for
ltv,sgt was correct can set v(1,0,...,0) then
(0,1,0,...,0) ,... to recover all the bits of s
(a, b)(a,lta,sgte)
pick random r in Zq (arv, brg)(arv,lta,sgterg)
if g?ltv,sgt, then gltv,sgtg' (arv,
brg)(arv,lta,sgterltv,sgtrg')
(arv,ltarv,sgterg') r is independent of
arv, s, e
so, Prlta',sgterg' u a'
Prr(u-(lta',sgte))(g')-11/q
7
Learning With Errors Problem
. . .
a1
s
e
b
a2


am
ai , s are in Zqn e is in Zqm All coefficients
of e are lt sqrt(q)
8
Learning With Errors Problem
A
s
e
b


A is in Zqm x n s is in Zqn e is in Zqm
All coefficients of e are lt sqrt(q) LWE problem
Distinguish (A,Ase) from (A,b) where b is random

9
Public Key Encryption Based on LWE
Secret Key s in Zqn Public Key A in Zqm x n ,
bAse each coefficient of e is lt sqrt(q)
A
s
e
b


Encrypting a single bit z in 0,1. Pick r in
0,1m . Send (rA, ltr,bgtz(q/2))
r
A
r
b
z(q/2)
10
Proof of Semantic Security
A
s
e
b
r
A
r
b

z(q/2)

If b is random, then (A,rA,ltr,bgt) is also
completely random. So (A,rA,ltr,bgtz(q/2)) is also
completely random. Since (A,b) looks random
(based on the hardness of LWE), so does
(A,rA,ltr,bgtz(q/2)) for any z
11
Decryption
n
A
s
e
b
r
A
r
b

z(q/2)
m

Have (u,v) where urA and vltr,bgtz(q/2) Compute
(ltu,sgt - v) If ltu,sgt - v is closer to 0 than to
q/2, then decrypt to 0 If ltu,sgt - v is closer to
q/2 than to 0, then decrypt to 1 ltu,sgt - v rAs
r(Ase) -z(q/2) ltr,egt - z(q/2) if
all coefficients of e are lt sqrt(q), ltr,egt lt
msqrt(q) So if q gtgt msqrt(q), z(q/2)
dominates the term ltr,egt - z(q/2)
12
Lattices in Practice

• Lattices have some great features
• Very strong security proofs
• The schemes are fairly simple
• Relatively efficient
• But there is a major drawback
• Schemes have very large keys

13
Hash Function
Description of the hash function a1,...,am in
Zqn
Input Bit-string z1...zm in 0,1
a1
a2
am
z1
z2
zm


h(z1...zm)
Sample parameters n64, m1024, p257 Domain
size 21024 (1024 bits) Range size 25764 ( 512
bits) Function description log(257)641024
525,000 bits
14
Public-Key Cryptosystem

• (Textbook) RSA
• Key-size 2048 bits
• Ciphertext length (2048 bit message) 2048 bits
• LWE-based scheme
• Key-size 600,000 bits
• Ciphertext length (2048 bit message) 40,000
  bits

15
Source of Inefficiency
z
A
4
11
6
8
10
7
6
14
1
7
7
1
2
13
0
3
0
0
n
h(z)
2
9
12
5
1
2
5
9
0
1
3
14
9
7
1
11
1
1
0
m
1
1
0
Require O(mn) storage Computing the function
takes O(mn) time
16
A More Efficient Idea
z
A
4
1
2
7
10
7
1
13
1
7
4
1
2
13
10
7
1
0
n
2
7
4
1
1
13
10
7
0
1
2
7
4
7
1
13
10
1
0
m
1
1
0
Now A only requires m storage Az can be computed
faster as well
17
A More Efficient Idea
z
A
4
1
2
7
10
7
1
13
4
1
2
7
10
7
1
13
1
1
0
7
4
1
2
13
10
7
1
7
4
1
2
13
10
7
1
0
0
1


2
7
4
1
1
13
10
7
2
7
4
1
1
13
10
7
0
0
1
1
2
7
4
7
1
13
10
1
2
7
4
7
1
13
10
1
1
0
0
1
1
0
(47x2x2x3)(1x3) (1013xx27x3)(xx2)
in Zpx/(xn-1)
18
Interlude What is Zpx/(xn-1)?

• Z integers
• Zpintegers modulo p
• Zpx polynomials with coefficients in Zp
• Example if p3 1x, 2x2x1001
• Zpx/(xn-1)polynomials of degree at most n-1,
  with coefficients in Zp
• Example if p3 and n4 1x, 2xx2

19
Operations in Zpx/(xn-1)?

• Addition
• Addition of polynomials modulo p
• Example if p3 and n4
• (1x2) (2x2x3)2x2x3
• Multiplication
• Polynomial multiplication modulo p and xn-1
• Example if p3 and n4
• (1x2) (2x2x3)
  23x2x3x4x5
  23x2x31x xx3

20
A More Efficient Idea
z
A
4
1
2
7
10
7
1
13
4
1
2
7
10
7
1
13
1
1
0
7
4
1
2
13
10
7
1
7
4
1
2
13
10
7
1
0
0
1


2
7
4
1
1
13
10
7
2
7
4
1
1
13
10
7
0
0
1
1
2
7
4
7
1
13
10
1
2
7
4
7
1
13
10
1
1
0
0
1
1
0
(47x2x2x3)(1x3) (1013xx27x3)(xx2) in
Zpx/(xn-1) Multiplication in Zpx/(xn-1) takes
time O(nlogn) using FFT
21
Great, a Better Hash Function!
Sample parameters n64, m1024, p257 Domain
size 21024 (1024 bits) Range size 25764 ( 512
bits) Function description log(257)641024
525,000 bits New function description
log(257)6416 8192 bits and it's much faster!
22
But Is it Hard to Find Collisions?
z
A
4
1
2
7
10
7
1
13
7
4
1
2
13
10
7
1
n
2
7
4
1
1
13
10
7
1
2
7
4
7
1
13
10
m
NO!
23
Finding Collisions
D
R
h
h
R'
D'
24
Finding Collisions
4
1
2
7
10
7
1
13
7
4
1
2
13
10
7
1
in Zqn


2
7
4
1
1
13
10
7
1
2
7
4
7
1
13
10
How many possibilities are there for this vector?
qn
There is a way to pick the z vector smarter so
that the number of possibilities is just q
25
Finding Collisions
4
1
2
7
0
0
7
4
1
2
0
0

2
7
4
1
0
0
1
2
7
4
0
0
4
1
2
7
1
14
7
4
1
2
1
14

2
7
4
1
1
14
1
2
7
4
1
14
26
Finding Collisions
4
1
2
7
10
7
1
13
7
4
1
2
13
10
7
1
in Zqn


2
7
4
1
1
13
10
7
1
2
7
4
7
1
13
10
Set each block of z to either all 0's or all
1's How many possibilities for z are there? 2 of
blocks Need 2 of blocks gt q to guarantee a
collision of this form of blocks gt log q
27
Collision-Resistant Hash Function
Given Vectors a1,...,am in Zqn
Find non-trivial solution z1,...,zm in -1,0,1
such that
a1
a2
am
0
in Zqn
z1
z2
zm



A(a1,...,am) Define hA 0,1m ? Zqn where
hA(z1,...,zm)a1z1 amzm Domain of h
0,1m (size 2m) Range of h Zqn (size qn)
Set mgtnlog q to get compression of blocks
m/n gt logq
28
But
z
r
A

4
1
2
7
10
7
1
13
12
7
4
1
2
13
10
7
1
3

n
2
7
4
1
1
13
10
7
7
1
2
7
4
7
1
13
10
4
m
Theorem For a random r in Zqn, it is hard to
find a z with coefficients in -1,0,1 such that
Az mod qr
29
Lattice Problems for Cyclic Lattices
Worst-Case
Average-Case
One-Way Functions
30
Cyclic Lattices
A set L in Zn is a cyclic lattice if
1.) For all v,w in L, vw is also in L
-4
3
2
-1
6
3
-2
-7
2
6
0
-8


2.) For all v in L, -v is also in L
-4
3
2
-1
4
-3
-2
1
3.) For all v in L, a cyclic shift of v is also
in L
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
3
2
-1
-4
-4
3
2
-1
-4
3
2
-1
2
-1
-4
3
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-1
-4
3
2
31
Cyclic LatticesIdeals in Zx/(xn-1)
A set L in Zn is a cyclic lattice if
1.) For all v,w in L, vw is also in L
-4
3
2
-1
6
3
-2
-7
2
6
0
-8


2.) For all v in L, -v is also in L
-4
3
2
-1
4
-3
-2
1
3.) For all v in L, a cyclic shift of v is also
in L
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
3
2
-1
-4
-4
3
2
-1
-4
3
2
-1
2
-1
-4
3
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-1
-4
3
2
32
(xn-1)-Ideal Lattices
A set L in Zn is an (xn-1)-ideal lattice if
1.) For all v,w in L, vw is also in L
-4
3
2
-1
6
3
-2
-7
2
6
0
-8


2.) For all v in L, -v is also in L
-4
3
2
-1
4
-3
-2
1
3.) For all v in L, a cyclic shift of v is also
in L
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
3
2
-1
-4
-4
3
2
-1
-4
3
2
-1
2
-1
-4
3
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-4
3
2
-1
-1
-4
3
2
33
What About Hash Functions?
z
A
4
1
2
7
10
7
1
13
7
4
1
2
13
10
7
1
n
2
7
4
1
1
13
10
7
1
2
7
4
7
1
13
10
m
Not Collision-Resistant
34
A Simple Modification
z
A
4
-1
-2
-7
10
-7
-1
-13
7
4
-1
-2
13
10
-7
-1
n
2
7
4
-1
1
13
10
-7
1
2
7
4
7
1
13
10
m
Theorem It is hard to find a z with coefficients
in -1,0,1 such that Az mod q0
35
Lattice Problems for (xn1)-Ideal Latices
Worst-Case
Average-Case
Small Integer Solution Problem (SIS)
One-Way Functions Collision-Resistant Hash
Functions Digital Signatures Identification
Schemes (Minicrypt)
36
(xn1)-Ideal Lattices
A set L in Zn is an (xn1)-ideal lattice if
1.) For all v,w in L, vw is also in L


2.) For all v in L, -v is also in L
3.) For all v in L, its negative rotation is
also in L
37
So How Efficient are the Ideal Lattice
Constructions?

• Collision-resistant hash functions
• More efficient than any other provably-secure
  hash function
• Almost as efficient as the ones used in practice
• Can only prove collision-resistance
• Signature schemes
• Theoretically, very efficient
• In practice, efficient
• Key length 20,000 bits
• Signature length 50,000 bits