prev

next

out of 27

View

319Download

1

Embed Size (px)

Lattice Based CryptographyGGH Cryptosystem

Tarun Raj - 110050050Rama Krishna Banoth - 110050054

Abhilash Gupta - 110050058Vinod Reddy - 110050060 Varun Janga - 110050076

Quick recap of Linear Algebra andVector Spaces A vector space V is a subset of Rn with the

property that 1*v1+2*v2 +..+m*vm V: for a given v1, v2, ...,vm V and all 1, 2 ,.., m R where m

What is a Lattice?

A basis for L is any set of independent vectors that generates L.

The dimension of L is the no. of vectors in a basis for L.

Properties of Lattices An Integer lattice is a lattice all of whose vectors have

integer coordinates.

Any two basis for a lattice L are related by a matrix having integer coordinates and determinant equal to 1.

- Hadamard Ratio0
Good Basis Vs Bad Basis

Good basis is the one which has nearly orthogonal vectors i.e, having hadamard ratio close to 1.

Bad Basis is the one having hadamard ratio close to 0.

Hard problems on lattices

Hard problems on lattices

Hard problems on latticesNote: No polynomial-time algorithm is known for

approximating the CVP in Rn to within a polynomial factor of n.

Best known polynomial time algorithms were based on LLL.

Babai proved that CVP in Rn can be approximated to a factor of 2n/2

Babais Algorithm

Cryptosystems based on hard Lattice ProblemsSome of the initial ones are: Ajtai-Dwork Cryptosystem. GGH Cryptosystem by Goldreich, Goldwasser, Halevi. NTRU cryptosystem by Hoffstein, Pipher and Silverman.

GGH Cryptosystem Based on the problem of finding lattice point

closest to a given vector.(CVP) Security Parameter - n = dimension of the

lattice Threshold Parameter - = bound on error

vector Private Key - Good basis of lattice. Public Key - Bad basis of the same lattice

GGH - Cryptosystem

Private Key(R) Generation Choosing a random lattice

R, an nxn matrix is chosen where elements are uniformly taken at random from {-l,...,l}nxn for some integer bound l.

l had no effect on basis so small value is chosen.(4) Choosing an almost rectangular lattice

Start with k.I and add the noise generated above. R = R + kIExperimentally, we get best parameters when k~ln

Public Key(B) Generation R is multiplied by a few random unimodular matrices. B = R.T1.T2 Each Ti = Li.Ui , where

Li & Ui are Lower & Upper triangular matrices. Each of the diagonal element is 1 in Li & Ui Other non-zero elements can be chosen at random,

for experiments they chose from {-1,0,1} Multiplying R by atleast 4 transformations is required to

prevent attack using LLL lattice reduction algorithm.

Cryptanalysis - GGH Cryptosystem

Following are the attacks on GGH cryptosystem From the original paper by GGH

The Round-off Attack The Nearest-plane Attack The embedding Attack

From Phong Nguyen which led to the failure of this system Based on Leaking Remainders

Embedding Attack Embed n basis-vectors and the point c (for

which we want to find the closest lattice point) in an (n+1) dimensional lattice.

After embedding, lattice reduction algorithms are used to find the shortest non-zero vector in L(B).

This heuristic works upto dimensions 110-120.

Nguyens Attack Let (n, ) be as already defined & B be public

basis. Assume message m n is encrypted into

ciphertext c n with B. There is an error vector e {}n such that

c = mB + e

Nguyens AttackLeaking Remainders:

c = mB + eConsider s = (,...,) n, then we have

e + s 0 (mod 2) c + s mB (mod 2)If we can solve the above equation, we get m modulo 2, denoted by m2

Nguyens AttackSimplifying the CVP:Once we get m2 , observe that m - m2= 2m for some m n.

c = mB + e c - m2B= (m - m2)B + e c - m2B= 2mB + e

Nguyens Attack

In the above equation, LHS is known. So, the new problem reads as a Closest Vector Problem(CVP) for which error vector e/2 {}n.Observe that this is simpler CVP for which error vectors have entries , thereby traditional methods like embedding are more likely to work now that error vector is smaller.

Advantages of Lattice Cryptography Shors algorithm (which runs on a Quantum

computer) can solve the public key cryptographic systems which rely on integer factorization problem or the discrete logarithm problem

Lattice based cryptography provides one of the best alternatives for post-quantum cryptographic systems

Most of lattice based cryptographic constructions are believed to be secure against attacks using either conventional or quantum computers

Disadvantages of Lattice Cryptography NTRU based schemes are practical and efficient to

implement but lack proof of security Theoretical schemes like matrix based learning with

errors offer strong security proof but use impractically large key sizes for general use

Since current publicly known experimental quantum computing is nowhere near powerful to attack real cryptographic systems, Lattice based schemes are not used much in practice

Research has been done on trying to merge NTRU family algorithms and LWE (Learning with error) schemes

This class of algorithms are called Learning with errors designs over rings, which offer very efficient computation, moderate key sizes and strong proof of security

Recent Developments

References An Introduction to Mathematical Cryptography by Jeffrey Hoffstein,

Jill Pipher, Joseph H. Silverman Public-key cryptosystems from lattice reduction problems by Oded

Goldreich, Shafi Goldwasser, Shai Halevi Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from

Crypto 97 by Phong Nguyen http://www.math.uni-bonn.de/~saxena/courses/WS2010-ref5.pdf http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf https://www.sav.sk/journals/uploads/0114115305BCKSS.pdf

Thank You

Example: