Embed Size (px)
Citation preview
The Shortest Vector Problem in Ideal LatticesSimon T. Huynh Thesis advisor: A. Kirsten Eisenträger
Department of Mathematics, The Pennsylvania State University
Quantum Attacks on Public-keyCryptosystems
•The security of RSA relies upon the hardness offactoring integers into primes. Shor’s algorithm isa quantum algorithm which factors integers inquantum polynomial time [Sho95]. Thus, aquantum computer can break RSA.•NSA announced its preparation for a transition toquantum resistant algorithms in 2015 [NSA15].
Figure 1:∆ = x+y− z denotes the period of time when informationprotected by public-key cryptosystems becomes vulnerable under theattacks of quantum algorithms [Mos15].
An Alternative: Lattice-basedCryptography
•Lattice-based cryptosystems are attractive forstrong provable security and resistance to quantumattacks. Their security depends on the hardness ofthe Shortest Vector Problem (SVP) in lattices.• Ideal lattices are used to allow faster computationsand less space complexity. However, the securityof ideal lattice-based cryptographic schemes arenot well-understood.
Preliminaries
•A commutative ring R is a set with binary operator + and ×such that: (R,+) is an Abelian group, × is associative andcommutative, and × is distributive over +.•A subset S ⊂ R is a subring of R if S is also a ring.•A subring I of R is called an ideal of R if for all r ∈ R,
r × I = {r × x : x ∈ I} = I.
•An ideal I of a ring R is principal if there exists a ∈ R for allx ∈ I such that
x = a× y
for some y ∈ R.•A quotient ring R/I , where I is an ideal of a ring R, is a set ofequivalent classes where x = y if and only if x− y ∈ I .• Let R1 and R2 be rings. R1 is isomorphic to R2, denotesR1∼= R2, if there exists a map φ : R1 → R2 such that φ is a
bijection, φ(x + y) = φ(x) + φ(y), and φ(x× y) = φ(x)× φ(y)for all x, y ∈ R1.
Example: The set Z with the usual + and × is a commutativering. Every ideals of Z is of the form (n) = n× Z for n ∈ Z, thusprincipal. Given an ideal (n) of Z, the quotient ring Z/(n) is thering of integers modulo n.
Lattices
•A lattice L(B) is a set of Z-linear combinations ofbasis vectors B =
~b1, . . . ,~bn.
L(B) = {B~x : ~x ∈ Zn} .•Λ ⊂ L(B) is a sublattice of L(B) is Λ is itself alattice.
Figure 2:A lattice with basis B = {(1, π), (π, 1)}.
Theorem 1. For two distinct lattice bases B andC, L(B) = L(C) ⇐⇒ ∃U ∈ GL(n,Z) such thatB = CU [Mic14b].
The Shortest Vector Problem
•The minimum distance of a lattice L isλ := inf
∥∥∥∥∥∥∥~v : ~v 6= ~0 ∈ L
∥∥∥∥∥∥∥ .
•Given L, the Shortest Vector Problem (SVP)asks to find a nonzero vector ~v ∈ L such that
‖~v‖ = λ.
• SVP is NP-hard in lattices. Its hardness is unknownin ideal lattices [MR09].
Basis ReductionGiven B, the Gram-Schmidt orthogonalization B∗ of B
is defined by ~b∗i = ~bi −i−1∑j=1
µi,j~b∗j where µi,j = 〈
~bi,~b∗j〉
〈~b∗j ,~b∗j〉.
B is said to be δ-LLL reduced for 14 < δ ≤ 1 if |µi,j| ≤ 1
2for all i > j and δ
∥∥∥∥∥∥∥∥~b∗i
∥∥∥∥∥∥∥∥2≤
∥∥∥∥∥∥∥∥µi+1,i~b∗i +~b∗i+1
∥∥∥∥∥∥∥∥2for all i.
Theorem 2. For any 14 < δ ≤ 1, if B is a δ-LLL
reduced basis then∥∥∥∥∥∥∥∥~b1
∥∥∥∥∥∥∥∥ ≤ α(n−1)/2λ,
where α := 1δ−1
4≥ 4
3 [Mic14a].
The LLL AlgorithmThe LLL algorithm δ-LLL reduces any lattice basis inpolynomial time in the lattice’s dimension and the bit-size of B [LLL82, Reg04].
Cyclic Lattices
•Let ~x = (x1, . . . , xn) be in Rn, the rotational shiftoperator acting on ~x is defined as
rot(~x) := (xn, x1, . . . , xn−1) ∈ Rn.
•A lattice L is cyclic if and only if for all ~x ∈ L,rot(~x) ∈ L.
•For n ∈ Z+, the map γ : Z[x]/(xn − 1)→ Zn by
γ
n−1∑i=0
aixi
= (a0, . . . , an−1),
where aj ∈ Z, is a ring isomorphism [PR05]. That is,Z[x]/(xn − 1) ∼= Zn.
Theorem 3. A subring I of Z[x]/(xn − 1) is anideal if and only if γ(I) is a cyclic sublattice of Zn[Mic07].Example: Consider R = Z[x]/(x2 − 1) ∼= Z2. LetI1 := (x− 1) and I2 := (2x− 3) be ideals of R.• γ(I1) is a 1-dimensional sublattice of Z2 with a basis{(1,−1)}. A shortest vector is (1,−1).• γ(I2) is a 2-dimensional sublattice of Z2 with a basis{(2,−3), (−3, 2)}. A shortest vector is (−1,−1). A1-LLL reduced basis of γ(I2) is {(−1,−1), (2,−3)}.
Figure 3:The cyclic sublattice γ(I1) of Z2.
Figure 4:The cyclic sublattice γ(I2) of Z2.
Results
Theorem 4. Let I be a principal ideal generated by p(x) of Z[x]/(xn − 1), for p(x) ∈ Z[x], and f (x) :=xn − 1
gcd(p(x), xn − 1). Then the set
~p, rot(~p), . . . , rotdeg(f )−1(~p) , where ~p = γ(p(x)) ∈ Zn,
is a basis of the cyclic sublattice γ(I) of Zn. It follows that the dimension of γ(I) is deg(f ).In particular, if p(x) is relatively prime to xn − 1 then γ(I) is a full-rank sublattice of Zn.
Conjecture 5. Let I be a principal ideal of Z[x]/(xn − 1) and consider the cyclic sublattice γ(I) of Znconstructed via the isomorphism γ : Z[x]/(xn − 1) → Zn. Let B1-LLL be a 1-LLL reduced basis for γ(I).Then the vector ~v ∈ B1-LLL , where
‖~v‖ = min∥∥∥∥∥∥∥∥~b
∥∥∥∥∥∥∥∥ : ~b ∈ B1-LLL ,
is a shortest vector in the lattice γ(I).
ConclusionUnder the assumption that Conjecture 5 is true, SVPbecomes easy in this specific family of cyclic lattices.That is, we can use the well-known LLL algorithm tosolve SVP for the cyclic lattice γ(I) where I is a principalideal of Z[x]/(xn − 1).
AcknowledgmentsI wish to express my deepest gratitude and appreciation to my thesisadvisor Dr. A. Kirsten Eisenträger. Thank you for giving me theopportunity to challenge myself.
References[LLL82] A. K. Lenstra, H. W. Lenstra, and L. Lovász.
Factoring polynomials with rational coefficients.Mathematische Annalen, 261:515–534, 1982.
[Mic07] D. Micciancio.Generalized compact knapsacks, cyclic lattices, and efficient one-way functions.2007.
[Mic14a] D. Micciancio.Basis reduction, 2014.
[Mic14b] D. Micciancio.Point lattices, 2014.
[Mos15] M. Mosca.Cybersecurity in an era with quantum computers: will we be ready?Cryptology ePrint Archive, Report 2015/1075, 2015.
[MR09] D. Micciancio and O. Regev.Lattice-based cryptography.In Johannes A Buchmann Daniel J. Bernstein and Erik Dahmen, editors, Post-Quantum Cryptography, pages 147–187. Springer, BerlinHeidelberg, 2009.
[NSA15] Commercial national security algorithm suite.U.S. National Security Agency, 2015.
[PR05] C. Peikert and A. Rosen.Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices.2005.
[Reg04] O. Regev.Lattices in Computer Science.Lecture notes taught at the Computer Science Tel Aviv University, 2004.
[Sho95] P. W. Shor.Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.1995.
