Lattice Based Cryptography - GGH Cryptosystem

  • View
    319

  • Download
    1

Embed Size (px)

Text of Lattice Based Cryptography - GGH Cryptosystem

  • Lattice Based CryptographyGGH Cryptosystem

    Tarun Raj - 110050050Rama Krishna Banoth - 110050054

    Abhilash Gupta - 110050058Vinod Reddy - 110050060 Varun Janga - 110050076

  • Quick recap of Linear Algebra andVector Spaces A vector space V is a subset of Rn with the

    property that 1*v1+2*v2 +..+m*vm V: for a given v1, v2, ...,vm V and all 1, 2 ,.., m R where m

  • What is a Lattice?

    A basis for L is any set of independent vectors that generates L.

    The dimension of L is the no. of vectors in a basis for L.

  • Properties of Lattices An Integer lattice is a lattice all of whose vectors have

    integer coordinates.

    Any two basis for a lattice L are related by a matrix having integer coordinates and determinant equal to 1.

  • Hadamard Ratio0
  • Good Basis Vs Bad Basis

    Good basis is the one which has nearly orthogonal vectors i.e, having hadamard ratio close to 1.

    Bad Basis is the one having hadamard ratio close to 0.

  • Hard problems on lattices

  • Hard problems on lattices

  • Hard problems on latticesNote: No polynomial-time algorithm is known for

    approximating the CVP in Rn to within a polynomial factor of n.

    Best known polynomial time algorithms were based on LLL.

    Babai proved that CVP in Rn can be approximated to a factor of 2n/2

  • Babais Algorithm

  • Cryptosystems based on hard Lattice ProblemsSome of the initial ones are: Ajtai-Dwork Cryptosystem. GGH Cryptosystem by Goldreich, Goldwasser, Halevi. NTRU cryptosystem by Hoffstein, Pipher and Silverman.

  • GGH Cryptosystem Based on the problem of finding lattice point

    closest to a given vector.(CVP) Security Parameter - n = dimension of the

    lattice Threshold Parameter - = bound on error

    vector Private Key - Good basis of lattice. Public Key - Bad basis of the same lattice

  • GGH - Cryptosystem

  • Private Key(R) Generation Choosing a random lattice

    R, an nxn matrix is chosen where elements are uniformly taken at random from {-l,...,l}nxn for some integer bound l.

    l had no effect on basis so small value is chosen.(4) Choosing an almost rectangular lattice

    Start with k.I and add the noise generated above. R = R + kIExperimentally, we get best parameters when k~ln

  • Public Key(B) Generation R is multiplied by a few random unimodular matrices. B = R.T1.T2 Each Ti = Li.Ui , where

    Li & Ui are Lower & Upper triangular matrices. Each of the diagonal element is 1 in Li & Ui Other non-zero elements can be chosen at random,

    for experiments they chose from {-1,0,1} Multiplying R by atleast 4 transformations is required to

    prevent attack using LLL lattice reduction algorithm.

  • Cryptanalysis - GGH Cryptosystem

    Following are the attacks on GGH cryptosystem From the original paper by GGH

    The Round-off Attack The Nearest-plane Attack The embedding Attack

    From Phong Nguyen which led to the failure of this system Based on Leaking Remainders

  • Embedding Attack Embed n basis-vectors and the point c (for

    which we want to find the closest lattice point) in an (n+1) dimensional lattice.

    After embedding, lattice reduction algorithms are used to find the shortest non-zero vector in L(B).

    This heuristic works upto dimensions 110-120.

  • Nguyens Attack Let (n, ) be as already defined & B be public

    basis. Assume message m n is encrypted into

    ciphertext c n with B. There is an error vector e {}n such that

    c = mB + e

  • Nguyens AttackLeaking Remainders:

    c = mB + eConsider s = (,...,) n, then we have

    e + s 0 (mod 2) c + s mB (mod 2)If we can solve the above equation, we get m modulo 2, denoted by m2

  • Nguyens AttackSimplifying the CVP:Once we get m2 , observe that m - m2= 2m for some m n.

    c = mB + e c - m2B= (m - m2)B + e c - m2B= 2mB + e

  • Nguyens Attack

    In the above equation, LHS is known. So, the new problem reads as a Closest Vector Problem(CVP) for which error vector e/2 {}n.Observe that this is simpler CVP for which error vectors have entries , thereby traditional methods like embedding are more likely to work now that error vector is smaller.

  • Advantages of Lattice Cryptography Shors algorithm (which runs on a Quantum

    computer) can solve the public key cryptographic systems which rely on integer factorization problem or the discrete logarithm problem

    Lattice based cryptography provides one of the best alternatives for post-quantum cryptographic systems

    Most of lattice based cryptographic constructions are believed to be secure against attacks using either conventional or quantum computers

  • Disadvantages of Lattice Cryptography NTRU based schemes are practical and efficient to

    implement but lack proof of security Theoretical schemes like matrix based learning with

    errors offer strong security proof but use impractically large key sizes for general use

    Since current publicly known experimental quantum computing is nowhere near powerful to attack real cryptographic systems, Lattice based schemes are not used much in practice

  • Research has been done on trying to merge NTRU family algorithms and LWE (Learning with error) schemes

    This class of algorithms are called Learning with errors designs over rings, which offer very efficient computation, moderate key sizes and strong proof of security

    Recent Developments

  • References An Introduction to Mathematical Cryptography by Jeffrey Hoffstein,

    Jill Pipher, Joseph H. Silverman Public-key cryptosystems from lattice reduction problems by Oded

    Goldreich, Shafi Goldwasser, Shai Halevi Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from

    Crypto 97 by Phong Nguyen http://www.math.uni-bonn.de/~saxena/courses/WS2010-ref5.pdf http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf https://www.sav.sk/journals/uploads/0114115305BCKSS.pdf

  • Thank You

  • Example: