Lattice-Based Cryptography
Lattice Problems
Small Integer Solution
Problem (SIS)
Learning With Errors
Problem (LWE)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Public Key EncryptionOblivious Transfer
Identity-Based EncryptionHierarchical Identity-Based
Encryption
(Cryptomania)
Worst-Case
Average-Case
Learning With Errors Problem
a1,
b1=<a1,s>+e1
a2,
b2=<a2,s>+e2
…s is chosen randomly in Zq
n
ai are chosen randomly from
Zqn
ei are “small” elements in Zq
Find the secret s
(Decisional) Learning With Errors Problem
Oracle 1
a1,
b1=<a1,s>+e1
a2,
b2=<a2,s>+e2
…s is chosen randomly in Zq
n
ai are chosen randomly from
Zqn
ei are “small” elements in Zq
Oracle 2
a1, b1
a2, b2
…
ai are chosen randomly from
Zqn
bi are chosen randomly from
Zq
Distinguish between these two distributions:
LWE < d-LWE
(a, b)=(a,<a,s>+e)
v, g = guess for <v,s>
if g = <v,s>, then we will produce Oracle 1 distribution
if g ≠ <v,s>, then we will produce Oracle 2 distribution
Use distinguisher to tell us whether the guess for <v,s> was correct
can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)
LWE < d-LWE
(a, b)=(a,<a,s>+e)
v, g = guess for <v,s>
if g = <v,s>, then we will produce Oracle 1 distribution
if g ≠ <v,s>, then we will produce Oracle 2 distribution
Use distinguisher to tell us whether the guess for <v,s> was correct
can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)if g≠<v,s>, then g=<v,s>+g'(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg')
=(a+rv,<a+rv,s>+e+rg')r is independent of a+rv, s, e
so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q
Learning With Errors Problem
. . .
a1
a2
am
s
+e
=b
ai , s are in Zqn
e is in Zqm All coefficients of e are < sqrt(q)
Learning With Errors Problem
A
s
+e
=b
A is in Zqm x n s is in Zq
n e is in Zqm
All coefficients of e are < sqrt(q)LWE problem: Distinguish (A,As+e) from (A,b) where b is random
Public Key Encryption Based on LWE
A
s
+ e = b
Secret Key: s in Zqn
Public Key: A in Zqm x n , b=As+e
each coefficient of e is < sqrt(q)
r
A
r
b
Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2))
+ z(q/2)
Proof of Semantic Security
As
+ e = b
r
A
r
b + z(q/2)
If b is random, then (A,rA,<r,b>) is also completely random.So (A,rA,<r,b>+z(q/2)) is also completely random.
Since (A,b) looks random (based on the hardness of LWE),so does (A,rA,<r,b>+z(q/2)) for any z
Decryption
As
+ e = b
r
A
r
b+ z(q/2)
Have (u,v) where u=rA and v=<r,b>+z(q/2)
Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0If <u,s> - v is closer to q/2 than to 0, then decrypt to 1
<u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| <
m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
n
m
Lattices in Practice
Lattices have some great features
Very strong security proofs
The schemes are fairly simple
Relatively efficient
But there is a major drawback
Schemes have very large keys
Hash Function
a1
a2
am
Input: Bit-string z1...z
m in {0,1}:
z1
z2
zm
+ + … +
Description of the hash function: a1,...,a
m in Z
qn
h(z1...z
m) =
Sample parameters:n=64, m=1024, p=257
Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem
(Textbook) RSA:
Key-size: ≈ 2048 bits
Ciphertext length (2048 bit message): ≈ 2048 bits
LWE-based scheme:
Key-size: ≈ 600,000 bits
Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency
4
7
2
1
11
7
9
3
6
1
12
14
8
2
5
9
10
13
1
7
7
0
2
1
6
3
5
11
14
0
9
1
n
m
A z
0
1
1
0
1
0
0
1
h(z) =
Require O(mn) storageComputing the function takes O(mn) time
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
n
m
A z
Now A only requires m storage
Az can be computed faster as well
0
1
1
0
1
0
0
1
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
A4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
1
0
0
1
0
1
1
0
+
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
in Zp[x]/(xn-1)
z
0
1
1
0
1
0
0
1
=
Interlude: What is Zp[x]/(xn-1)?
Z = integers
Zp=integers modulo p
Zp[x] = polynomials with coefficients in
Zp
Example if p=3: 1+x, 2+x2+x1001
Zp[x]/(xn-1)=polynomials of degree at
most n-1, with coefficients in Zp
Example if p=3 and n=4: 1+x, 2+x+x2
Operations in Zp[x]/(xn-1)? Addition:
Addition of polynomials modulo p
Example if p=3 and n=4:
(1+x2) + (2+x2+x3)=2x2+x3
Multiplication:
Polynomial multiplication modulo p and xn-1
Example if p=3 and n=4:
(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3
A More Efficient Idea
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
A4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
1
0
0
1
0
1
1
0
+
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Multiplication in Zp[x]/(xn-1) takes time O(nlogn)
using FFT
z
0
1
1
0
1
0
0
1
=
Great, a Better Hash Function!Sample parameters:n=64, m=1024, p=257
Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits
“New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!
But Is it Hard to Find Collisions?
n
m
A z4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
NO!
Finding Collisions
D Rh
D'R'h
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
+ =
How many possibilities are there for this vector?
in Zq
n
qn
There is a way to pick the z vector “smarter” so that the number of possibilities is just q
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
0
0
0
0
=
0
0
0
0
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
1
1
1
1
=
14
14
14
14
Finding Collisions
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
+ = in Zq
n
Set each block of z to either all 0's or all 1'sHow many possibilities for z are there?
2# of blocks
Need 2# of blocks > q to guarantee a collision of this form
# of blocks > log q
Collision-Resistant Hash Function
a1
a2
am in Z
qn
Find: non-trivial solution z1,...,z
m in {-1,0,1} such that:
z1
z2
zm
+ + … + = 0
Given: Vectors a1,...,a
m in Z
qn
A=(a1,...,am) Define hA: {0,1}m → Zqn where
hA(z1,...,zm)=a1z1 + … + amzm
Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size
= qn) Set m>nlog q to get compression
# of blocks = m/n > logq
But …
n
m
A z
Theorem: For a random r in Zqn, it is hard to find a z
with coefficients in {-1,0,1} such that Az mod q=r
4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
12
3
7
4
=
= r
Lattice Problemsfor “Cyclic Lattices”
One-Way Functions
Worst-Case
Average-Case
Cyclic Lattices
-432-1 63-2-7
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
Cyclic Lattices=Ideals in Z[x]/(xn-1)
-432-1 63-2-7
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
(xn-1)-Ideal Lattices
-432-1 63-2-7
A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L
+ = 260-8
2.) For all v in L, -v is also in L
-432-1 4-3-21
3.) For all v in L, a cyclic shift of v is also in L
-432-1 -432-1 -432-1
32-1-4
-432-1 -432-1 -432-1
-432-1 -432-1 2-1-43
-432-1 -432-1 -432-1 -432-1 -432-1 -1-432
What About Hash Functions?
n
m
A z4
7
2
1
1
4
7
2
2
1
4
7
7
2
1
4
10
13
1
7
7
10
13
1
1
7
10
13
13
1
7
10
Not Collision-Resistant
A “Simple” Modification
n
m
A z
Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0
4
7
2
1
-1
4
7
2
-2
-1
4
7
-7
-2
-1
4
10
13
1
7
-7
10
13
1
-1
-7
10
13
-13
-1
-7
10
Lattice Problems for
(xn+1)-Ideal Latices
Small Integer Solution
Problem (SIS)
One-Way FunctionsCollision-Resistant Hash
FunctionsDigital Signatures
Identification Schemes
(Minicrypt)
Worst-Case
Average-Case
(xn+1)-Ideal Lattices
4321 63-2-7
A set L in Zn is an (xn+1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L
+ = 1060-6
2.) For all v in L, -v is also in L
4321 -4-3-2-1
3.) For all v in L, its “negative rotation” is also in L
321-4
-432-1 -432-1 -432-1 -432-1 -432-1 4321
-432-1 -432-1 21-4-3
-432-1 -432-1 -432-1 -432-1 -432-1 1-4-3-2
So How Efficient are the Ideal Lattice Constructions?
Collision-resistant hash functions
More efficient than any other provably-secure hash function
Almost as efficient as the ones used in practice
Can only prove collision-resistance
Signature schemes
Theoretically, very efficient
In practice, efficient
Key length ≈ 20,000 bits
Signature length ≈ 50,000 bits
Top Related