Lattice-Based Cryptography

Lattice Problems

Small Integer Solution

Problem (SIS)

Learning With Errors

Problem (LWE)

One-Way FunctionsCollision-Resistant Hash

FunctionsDigital Signatures

Identification Schemes

(Minicrypt)

Public Key EncryptionOblivious Transfer

Identity-Based EncryptionHierarchical Identity-Based

Encryption

(Cryptomania)

Worst-Case

Average-Case

Learning With Errors Problem

a1,

b1=<a1,s>+e1

a2,

b2=<a2,s>+e2

…s is chosen randomly in Zq

n

ai are chosen randomly from

Zqn

ei are “small” elements in Zq

Find the secret s

(Decisional) Learning With Errors Problem

Oracle 1

a1,

b1=<a1,s>+e1

a2,

b2=<a2,s>+e2

…s is chosen randomly in Zq

n

ai are chosen randomly from

Zqn

ei are “small” elements in Zq

Oracle 2

a1, b1

a2, b2

…

ai are chosen randomly from

Zqn

bi are chosen randomly from

Zq

Distinguish between these two distributions:

LWE < d-LWE

(a, b)=(a,<a,s>+e)

v, g = guess for <v,s>

if g = <v,s>, then we will produce Oracle 1 distribution

if g ≠ <v,s>, then we will produce Oracle 2 distribution

Use distinguisher to tell us whether the guess for <v,s> was correct

can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s

pick random r in Zq

(a+rv, b+rg)=(a+rv,<a,s>+e+rg)if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e)

LWE < d-LWE

(a, b)=(a,<a,s>+e)

v, g = guess for <v,s>

if g = <v,s>, then we will produce Oracle 1 distribution

if g ≠ <v,s>, then we will produce Oracle 2 distribution

Use distinguisher to tell us whether the guess for <v,s> was correct

can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s

pick random r in Zq

(a+rv, b+rg)=(a+rv,<a,s>+e+rg)if g≠<v,s>, then g=<v,s>+g'(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg')

=(a+rv,<a+rv,s>+e+rg')r is independent of a+rv, s, e

so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q

Learning With Errors Problem

. . .

a1

a2

am

s

+e

=b

ai , s are in Zqn

e is in Zqm All coefficients of e are < sqrt(q)

Learning With Errors Problem

A

s

+e

=b

A is in Zqm x n s is in Zq

n e is in Zqm

All coefficients of e are < sqrt(q)LWE problem: Distinguish (A,As+e) from (A,b) where b is random

Public Key Encryption Based on LWE

A

s

+ e = b

Secret Key: s in Zqn

Public Key: A in Zqm x n , b=As+e

each coefficient of e is < sqrt(q)

r

A

r

b

Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2))

+ z(q/2)

Proof of Semantic Security

As

+ e = b

r

A

r

b + z(q/2)

If b is random, then (A,rA,<r,b>) is also completely random.So (A,rA,<r,b>+z(q/2)) is also completely random.

Since (A,b) looks random (based on the hardness of LWE),so does (A,rA,<r,b>+z(q/2)) for any z

Decryption

As

+ e = b

r

A

r

b+ z(q/2)

Have (u,v) where u=rA and v=<r,b>+z(q/2)

Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0If <u,s> - v is closer to q/2 than to 0, then decrypt to 1

<u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| <

m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)

n

m

Lattices in Practice

Lattices have some great features

Very strong security proofs

The schemes are fairly simple

Relatively efficient

But there is a major drawback

Schemes have very large keys

Hash Function

a1

a2

am

Input: Bit-string z1...z

m in {0,1}:

z1

z2

zm

+ + … +

Description of the hash function: a1,...,a

m in Z

qn

h(z1...z

m) =

Sample parameters:n=64, m=1024, p=257

Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits

Public-Key Cryptosystem

(Textbook) RSA:

Key-size: ≈ 2048 bits

Ciphertext length (2048 bit message): ≈ 2048 bits

LWE-based scheme:

Key-size: ≈ 600,000 bits

Ciphertext length (2048 bit message): ≈ 40,000 bits

Source of Inefficiency

4

7

2

1

11

7

9

3

6

1

12

14

8

2

5

9

10

13

1

7

7

0

2

1

6

3

5

11

14

0

9

1

n

m

A z

0

1

1

0

1

0

0

1

h(z) =

Require O(mn) storageComputing the function takes O(mn) time

A More Efficient Idea

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

n

m

A z

Now A only requires m storage

Az can be computed faster as well

0

1

1

0

1

0

0

1

A More Efficient Idea

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

A4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

1

0

0

1

0

1

1

0

+

(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)

in Zp[x]/(xn-1)

z

0

1

1

0

1

0

0

1

=

Interlude: What is Zp[x]/(xn-1)?

Z = integers

Zp=integers modulo p

Zp[x] = polynomials with coefficients in

Zp

Example if p=3: 1+x, 2+x2+x1001

Zp[x]/(xn-1)=polynomials of degree at

most n-1, with coefficients in Zp

Example if p=3 and n=4: 1+x, 2+x+x2

Operations in Zp[x]/(xn-1)? Addition:

Addition of polynomials modulo p

Example if p=3 and n=4:

(1+x2) + (2+x2+x3)=2x2+x3

Multiplication:

Polynomial multiplication modulo p and xn-1

Example if p=3 and n=4:

(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3

A More Efficient Idea

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

A4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

1

0

0

1

0

1

1

0

+

(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)

Multiplication in Zp[x]/(xn-1) takes time O(nlogn)

using FFT

z

0

1

1

0

1

0

0

1

=

Great, a Better Hash Function!Sample parameters:n=64, m=1024, p=257

Domain size: 21024 (1024 bits)Range size: 25764 (≈ 512 bits)Function description: log(257)*64*1024 ≈ 525,000 bits

“New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster!

But Is it Hard to Find Collisions?

n

m

A z4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

NO!

Finding Collisions

D Rh

D'R'h

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

+ =

How many possibilities are there for this vector?

in Zq

n

qn

There is a way to pick the z vector “smarter” so that the number of possibilities is just q

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

0

0

0

0

=

0

0

0

0

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

1

1

1

1

=

14

14

14

14

Finding Collisions

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

+ = in Zq

n

Set each block of z to either all 0's or all 1'sHow many possibilities for z are there?

2# of blocks

Need 2# of blocks > q to guarantee a collision of this form

# of blocks > log q

Collision-Resistant Hash Function

a1

a2

am in Z

qn

Find: non-trivial solution z1,...,z

m in {-1,0,1} such that:

z1

z2

zm

+ + … + = 0

Given: Vectors a1,...,a

m in Z

qn

A=(a1,...,am) Define hA: {0,1}m → Zqn where

hA(z1,...,zm)=a1z1 + … + amzm

Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size

= qn) Set m>nlog q to get compression

# of blocks = m/n > logq

But …

n

m

A z

Theorem: For a random r in Zqn, it is hard to find a z

with coefficients in {-1,0,1} such that Az mod q=r

4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

12

3

7

4

=

= r

Lattice Problemsfor “Cyclic Lattices”

One-Way Functions

Worst-Case

Average-Case

Cyclic Lattices

-432-1 63-2-7

A set L in Zn is a cyclic lattice if:

1.) For all v,w in L, v+w is also in L

+ = 260-8

2.) For all v in L, -v is also in L

-432-1 4-3-21

3.) For all v in L, a cyclic shift of v is also in L

-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

Cyclic Lattices=Ideals in Z[x]/(xn-1)

-432-1 63-2-7

A set L in Zn is a cyclic lattice if:

1.) For all v,w in L, v+w is also in L

+ = 260-8

2.) For all v in L, -v is also in L

-432-1 4-3-21

3.) For all v in L, a cyclic shift of v is also in L

-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

(xn-1)-Ideal Lattices

-432-1 63-2-7

A set L in Zn is an (xn-1)-ideal lattice if:

1.) For all v,w in L, v+w is also in L

+ = 260-8

2.) For all v in L, -v is also in L

-432-1 4-3-21

3.) For all v in L, a cyclic shift of v is also in L

-432-1 -432-1 -432-1

32-1-4

-432-1 -432-1 -432-1

-432-1 -432-1 2-1-43

-432-1 -432-1 -432-1 -432-1 -432-1 -1-432

What About Hash Functions?

n

m

A z4

7

2

1

1

4

7

2

2

1

4

7

7

2

1

4

10

13

1

7

7

10

13

1

1

7

10

13

13

1

7

10

Not Collision-Resistant

A “Simple” Modification

n

m

A z

Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0

4

7

2

1

-1

4

7

2

-2

-1

4

7

-7

-2

-1

4

10

13

1

7

-7

10

13

1

-1

-7

10

13

-13

-1

-7

10

Lattice Problems for

(xn+1)-Ideal Latices

Small Integer Solution

Problem (SIS)

One-Way FunctionsCollision-Resistant Hash

FunctionsDigital Signatures

Identification Schemes

(Minicrypt)

Worst-Case

Average-Case

(xn+1)-Ideal Lattices

4321 63-2-7

A set L in Zn is an (xn+1)-ideal lattice if:

1.) For all v,w in L, v+w is also in L

+ = 1060-6

2.) For all v in L, -v is also in L

4321 -4-3-2-1

3.) For all v in L, its “negative rotation” is also in L

321-4

-432-1 -432-1 -432-1 -432-1 -432-1 4321

-432-1 -432-1 21-4-3

-432-1 -432-1 -432-1 -432-1 -432-1 1-4-3-2

So How Efficient are the Ideal Lattice Constructions?

Collision-resistant hash functions

More efficient than any other provably-secure hash function

Almost as efficient as the ones used in practice

Can only prove collision-resistance

Signature schemes

Theoretically, very efficient

In practice, efficient

Key length ≈ 20,000 bits

Signature length ≈ 50,000 bits