https://www.microsoft.com/en-us/research/people/plonga/
Quantum computing
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 1
Modeling of nature
Computational optimization
Database search
Machine learning
Quantum computing
Database search
Computational optimization
Machine learning
Breaking of cryptographic schemes
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 2
Cryptography in use today
Public-keycryptography
Symmetric-keycryptography
RSA encryption and signatures
(EC)DSA signatures
(EC)DH key-exchange
AES SHA-2/SHA-3
factoring(elliptic curve) discrete logs
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 3
Cryptography in use today
Public-keycryptography
Symmetric-keycryptography
RSA encryption and signatures
(EC)DSA signatures
(EC)DH key-exchange
AES SHA-2/SHA-3
factoring(elliptic curve) discrete logs
Efficiently solved by a large-scale quantum computer
(total break using Shor’s algorithm)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 3
Cryptography in use today
Public-keycryptography
Symmetric-keycryptography
RSA encryption and signatures
(EC)DSA signatures
(EC)DH key-exchange
AES SHA-2/SHA-3
factoring(elliptic curve) discrete logs
Efficiently solved by a large-scale quantum computer
(total break using Shor’s algorithm)
Only square-root speedup on a large-scale quantum computer
(using Grover’s algorithm)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 3
Cryptography in use today
Primitive Keylength Classical bit-security Quantum bit-security
Symmetric-key cryptography
AES-128 128 bits 128 64 (Grover)
AES-256 256 bits 256 128 (Grover)
Public-key cryptography
RSA-2048 2048 bits 112 ~0 (Shor)
RSA-3072 3072 bits 128 ~0 (Shor)
ECC256 256 bits 128 ~0 (Shor)
ECC384 384 bits 192 ~0 (Shor)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 4
When will a large-scale, fault-tolerant
quantum computer be built?
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 5
When will a large-scale, fault-tolerant
quantum computer be built?
I estimate a “1/6 chance of breaking RSA-2048 within 10 years”.
Michael Mosca, September 2017ETSI/IQC Workshop on Quantum-Safe Cryptography 2017
“Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade. ”
Bela Bauer et al., October 2015 – August 2016arXiv:1510.03859v2
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 5
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 6
“quantum supremacy” might be close?
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 6
What do we need to protect now?
Assuming that a large-scale, fault tolerant quantum computer has not been developed yet, but might be soon (say, in 10 years):
• Attacker records encrypted data today…
uses quantum computer to access secret data in 10 years from now.
• Integrity of authentication only matters at the time of connection• Keep using classical digital signature schemes for now
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 7
What do we need to protect now?
Assuming that a large-scale, fault tolerant quantum computer has not been developed yet, but might be soon (say, in 10 years):
• Attacker records encrypted data today…
uses quantum computer to access secret data in 10 years from now.
• Integrity of authentication only matters at the time of connection• Keep using classical digital signature schemes for now
Need quantum-resistant key agreement and encryption for long-term security
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 7
How to protect us?
• Runs on classical computers
• Algorithms are conjectured to be secure against future quantum computer attacks
Post-quantum cryptography(a.k.a. quantum-safe cryptography)
Quantum cryptography
• Exploits quantum mechanics
• Requires special hardware much more expensive
• E.g., quantum key distribution (QKD)
It is possible to combine both cryptographic tool sets
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 8
Recent PQC effort
• April 2015: NIST held a “Workshop on Cybersecurity in a Post-Quantum World”, reaching out to academia and industry to discuss potential future standardization of PQC
• August 2015: NSA announced plans to “transition to quantum resistant algorithms in the not so distant future”
• February 2016: NIST published a “Report on Post-Quantum Cryptography”, outlining NIST’s plan to “initiate a standardization effort in post-quantum cryptography”
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 9
NIST’s PQC standardization project
• December 2016: call for proposals
https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
• November 30, 2017: deadline for submissions
• April 12-13, 2018: first PQC Standardization Conference (Fort Lauderdale, US)
• 3-5 years (2020-2022): analysis phase, NIST will report findings (1-2 workshops during this phase):
“The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.”
(This includes: digital signatures, encryption and key encapsulation).
• 2 years later (2022-2024): Draft Standards ready
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 10
Post-quantum candidates
Code-based
Lattice-based
Hash-based
Multivariate
Isogeny-based
McEliece
NTRU, LWE-based
Merkle’s hash-tree signatures
HFEv- signature scheme
SIDH
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 11
Post-quantum candidates: in this talk…
Code-based
Lattice-based
Hash-based
Multivariate
Isogeny-based
McEliece
NTRU, LWE-based
Merkle’s hash-tree signatures
HFEv- signature scheme
SIDH
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 11
Lattices
A lattice is a set of integer linear combinations
ℒ = 𝑎1𝒃1 +⋯+ 𝑎𝑛𝒃𝑛|𝑎𝑖 ∈ ℤ
for linearly independent vectors 𝑩 = 𝒃1, … , 𝒃𝑛 in ℤ𝑛.
• 𝑩 is a basis of the lattice
• In crypto, 𝑩 = 𝒃1, … , 𝒃𝑛 ⊆ ℤ𝑞𝑛 for some integer 𝑞
𝒃1
𝒃2
𝒃1 + 𝒃2
𝐨
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 12
Lattices
A lattice is a set of integer linear combinations
ℒ = 𝑎1𝒃1 +⋯+ 𝑎𝑛𝒃𝑛|𝑎𝑖 ∈ ℤ
for linearly independent vectors 𝑩 = 𝒃1, … , 𝒃𝑛 in ℤ𝑛.
• 𝑩 is a basis of the lattice
• In crypto, 𝑩 = 𝒃1, … , 𝒃𝑛 ⊆ ℤ𝑞𝑛 for some integer 𝑞
• The smallest Euclidean distance between two vectors (i.e. the length of a shortest nonzero vector) is
λ1(ℒ):= minv∈ℒ\{0}
v
• In this talk, we represent lattices as
𝒃1
𝒃2
𝒃1 + 𝒃2
𝐨
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 12
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ(𝑩).
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)
• The decisional approximate shortest vector (GapSVPγ) problem: determine whether λ1 ℒ ≤1 or λ1 ℒ > γ(𝑛)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)
• The decisional approximate shortest vector (GapSVPγ) problem: determine whether λ1 ℒ ≤1 or λ1 ℒ > γ(𝑛)
• The approximate shortest independent vectors (SIVPγ) problem: find 𝑛 linearly independent vectors {v𝑖} for which v𝑖 ≤ γ(𝑛) ∙ λ𝑛(ℒ) for all 𝑖
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)
• The decisional approximate shortest vector (GapSVPγ) problem: determine whether λ1 ℒ ≤1 or λ1 ℒ > γ(𝑛)
• The approximate shortest independent vectors (SIVPγ) problem: find 𝑛 linearly independent vectors {v𝑖} for which v𝑖 ≤ γ(𝑛) ∙ λ𝑛(ℒ) for all 𝑖
• The Bounded Distance Decoding (BDDγ) problem: given a target point 𝑡 ∈ ℝ𝑛 for which dist 𝑡, ℒ < 𝑑 = 𝜆1(ℒ)/2γ 𝑛 , find the unique lattice vector v such that 𝑡 − v < 𝑑
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Hard lattice problems
Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .
• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)
• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)
• The decisional approximate shortest vector (GapSVPγ) problem: determine whether λ1 ℒ ≤1 or λ1 ℒ > γ(𝑛)
• The approximate shortest independent vectors (SIVPγ) problem: find 𝑛 linearly independent vectors {v𝑖} for which v𝑖 ≤ γ(𝑛) ∙ λ𝑛(ℒ) for all 𝑖
• The Bounded Distance Decoding (BDDγ) problem: given a target point 𝑡 ∈ ℝ𝑛 for which dist 𝑡, ℒ < 𝑑 = 𝜆1(ℒ)/2γ 𝑛 , find the unique lattice vector v such that 𝑡 − v < 𝑑
For γ = poly 𝑛 , solving requires either 2Ω(𝑛 log 𝑛) time, or 2Ω(𝑛) time and space
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 13
Another hard problem: LWE
Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒
Setup: Sample 𝐬՚$𝒳𝑠
𝑛 , 𝐞՚$𝒳𝑒
𝑛
𝐀՚$𝑈(ℤ𝑞
𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛
Search LWE problem: given 𝐀, 𝐛 , find 𝐬
× + =
Given blue and green, find red
𝐀 𝐬 𝐞 𝐛
random
random
small
looks random
Regev’05
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 14
Another hard problem: LWE
Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒
Setup: Sample 𝐬՚$𝒳𝑠
𝑛 , 𝐞՚$𝒳𝑒
𝑛
𝐀՚$𝑈(ℤ𝑞
𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛
Search LWE problem: given 𝐀, 𝐛 , find 𝐬
× + =
Given blue and green, find red
𝐀 𝐬 𝐞 𝐛
random
random
small
looks random
Small secrets: one can use 𝒳𝑠 = 𝒳𝑒 [ACPS’09]
Regev’05
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 14
Another hard problem: LWE
Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒 𝒳
Setup: Sample 𝐬՚$𝒳𝑛 , 𝐞՚
$𝒳𝑛
𝐀՚$𝑈(ℤ𝑞
𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛
Search LWE problem: given 𝐀, 𝐛 , find 𝐬
× + =
Given blue and green, find red
𝐀 𝐬 𝐞 𝐛
random
random small
small
looks random
Small secrets: one can use 𝒳𝑠 = 𝒳𝑒 [ACPS’09]
Regev’05
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 14
Another hard problem: LWE
ChinaCrypt 2017 Patrick Longa – Practical post-quantum key exchange 15
Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒 𝒳
Setup: Sample 𝐬՚$𝒳𝑛 , 𝐞՚
$𝒳𝑛
𝐀՚$𝑈(ℤ𝑞
𝑛×𝑚) , 𝐛 = 𝐀 × 𝐬 + 𝐞 ∈ ℤ𝑞𝑛
𝐛՚$𝑈(ℤ𝑞
𝑛)
Decision LWE problem: distinguish 𝐀, 𝐛 from uniform 𝐀, 𝐛
× + =
Given blue, distinguish green from yellow
𝐀 𝐬 𝐞 𝐛
random
random small
small
looks random
𝐛
Regev’05
Error sampling
• Typically uses a discrete Gaussian distribution of width 𝑠
width 𝑠, 𝑛 ≤ error ≪ 𝑞error rate 𝛼 = 𝑠/𝑞
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 16
Error sampling
• Typically uses a discrete Gaussian distribution of width 𝑠
• The continuous Gaussian distribution 𝐷𝑠 has probability distribution
𝑓 x = ൗ𝜌𝑠 x නℝ𝑛𝜌𝑠 z 𝑑𝑧 = Τ𝜌𝑠 x 𝑠𝑛
for the Gaussian function 𝜌𝑠 x = exp Τ−𝜋 x 2 𝑠2 .
• The discrete Gaussian distribution 𝐷ℒ,𝑠 over ℒ is defined as
ቊ𝐷𝑠 x = Τ𝜌𝑠 x 𝜌𝑠 ℒ , if x ∈ ℒ
𝐷𝑠 x = 0, otherwise
where 𝜌𝑠 ℒ = σ𝑣∈ℒ 𝜌𝑠 v is a normalization factor.
width 𝑠, 𝑛 ≤ error ≪ 𝑞error rate 𝛼 = 𝑠/𝑞
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 16
Error sampling
• Typically uses a discrete Gaussian distribution of width 𝑠
• The continuous Gaussian distribution 𝐷𝑠 has probability distribution
𝑓 x = ൗ𝜌𝑠 x නℝ𝑛𝜌𝑠 z 𝑑𝑧 = Τ𝜌𝑠 x 𝑠𝑛
for the Gaussian function 𝜌𝑠 x = exp Τ−𝜋 x 2 𝑠2 .
• The discrete Gaussian distribution 𝐷ℒ,𝑠 over ℒ is defined as
ቊ𝐷𝑠 x = Τ𝜌𝑠 x 𝜌𝑠 ℒ , if x ∈ ℒ
𝐷𝑠 x = 0, otherwise
where 𝜌𝑠 ℒ = σ𝑣∈ℒ 𝜌𝑠 v is a normalization factor.
• Analysis of Rényi divergence yields efficient and simple distributions
width 𝑠, 𝑛 ≤ error ≪ 𝑞error rate 𝛼 = 𝑠/𝑞
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 16
An efficient LWE instantiation: Frodo
• Basic unauthenticated LWE key agreement
• Based on Lindner–Peikert LWE PKE scheme (2010) and Ding et al.’s DH-like protocol (2012)
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 17
An efficient LWE instantiation: Frodo
• Basic unauthenticated LWE key agreement
• Based on Lindner–Peikert LWE PKE scheme (2010) and Ding et al.’s DH-like protocol (2012)
• 𝒳 : approximation to rounded Gaussian
• Sampling is simple and can be done in constant-time, e.g., using inversion sampling:• Table 𝑇𝒳 stores (𝑠 + 1) integers related to discrete cumulative distribution function
• Given a random value 𝑟, determine smallest index 𝑖 such that 𝑟 ≤ 𝑇𝒳 𝑖
• Output (−1)𝑏𝑖 for a random bit 𝑏
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 17
An efficient LWE instantiation: Frodo
• Basic unauthenticated LWE key agreement
• Based on Lindner–Peikert LWE PKE scheme (2010) and Ding et al.’s DH-like protocol (2012)
• 𝒳 : approximation to rounded Gaussian
• Sampling is simple and can be done in constant-time, e.g., using inversion sampling:• Table 𝑇𝒳 stores (𝑠 + 1) integers related to discrete cumulative distribution function
• Given a random value 𝑟, determine smallest index 𝑖 such that 𝑟 ≤ 𝑇𝒳 𝑖
• Output (−1)𝑏𝑖 for a random bit 𝑏
• Two post-quantum parameter sets: “recommended” and “paranoid”
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 17
An efficient LWE instantiation: Frodo
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
752
8∈ ℤ215
864
8
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
RecommendedFrodo
Paranoid Frodo
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
error probability: 2−38.9
𝑇𝒳: 6 elements error probability: 2−33.8
𝑇𝒳: 7 elements
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 18
An efficient LWE instantiation: Frodo
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
752
8∈ ℤ215
864
8
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
RecommendedFrodo
Paranoid Frodo
144-bit classical sec. 130-bit quantum sec.
Comm. ~11KB each way
177-bit classical sec. 161-bit quantum sec.
Comm. ~13KB each way
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
error probability: 2−38.9
𝑇𝒳: 6 elements error probability: 2−33.8
𝑇𝒳: 7 elements
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 18
An efficient LWE instantiation: Frodo
Is it possible to improve communication bandwidth?
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
752
8∈ ℤ215
864
8
⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮
RecommendedFrodo
Paranoid Frodo
144-bit classical sec. 130-bit quantum sec.
Comm. ~11KB each way
177-bit classical sec. 161-bit quantum sec.
Comm. ~13KB each way
Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016
error probability: 2−38.9
𝑇𝒳: 6 elements error probability: 2−33.8
𝑇𝒳: 7 elements
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 18
Another hard problem: R-LWE
Is it possible to improve communication bandwidth?
• Use lattices with a ring structure: representation using polynomials in a ring 𝑅𝑞
Lyubashevsky–Peikert–Regev, 2010
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 19
Another hard problem: R-LWE
Is it possible to improve communication bandwidth?
• Use lattices with a ring structure: representation using polynomials in a ring 𝑅𝑞
• Efficient instantiation:
dimension 𝑛 = 2𝑘, for some integer 𝑘
prime 𝑞 ≡ 1mod2𝑛
quotient ring 𝑅𝑞 = 𝑅/𝑞𝑅 ≅ ℤ𝑞[𝑥]/(𝑥𝑛 + 1)
error distribution 𝒳
Lyubashevsky–Peikert–Regev, 2010
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 19
Another hard problem: R-LWE
Is it possible to improve communication bandwidth?
• Use lattices with a ring structure: representation using polynomials in a ring 𝑅𝑞
• Efficient instantiation:
dimension 𝑛 = 2𝑘, for some integer 𝑘
prime 𝑞 ≡ 1mod2𝑛
quotient ring 𝑅𝑞 = 𝑅/𝑞𝑅 ≅ ℤ𝑞[𝑥]/(𝑥𝑛 + 1)
error distribution 𝒳
• Basically, replace by
(rows are anti-cyclic rotations: need 𝒏 elements only)
Lyubashevsky–Peikert–Regev, 2010
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 19
Another hard problem: R-LWE
Parameters: dimension 𝑛, modulus 𝑞, ring 𝑅𝑞 and error distribution 𝒳
Setup: secret 𝒔 ∈ 𝑅𝑞, sample 𝒆՚$𝒳
𝒂՚$𝑈(𝑅𝑞) , 𝒃 = (𝒂 × 𝒔 + 𝒆) ∈ 𝑅𝑞
Search R-LWE problem: given 𝒂, 𝒃 , find 𝒔
×
+
=
Given blue and green, find red
random
random
small
looks random
𝒂
𝒃
𝒔
𝒆
Lyubashevsky–Peikert–Regev, 2010
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 20
Another hard problem: R-LWE
Parameters: dimension 𝑛, modulus 𝑞, ring 𝑅𝑞 and error distribution 𝒳
Setup: secret 𝒔 ∈ 𝑅𝑞, sample 𝒆՚$𝒳
𝒂՚$𝑈(𝑅𝑞) , 𝒃 = (𝒂 × 𝒔 + 𝒆) ∈ 𝑅𝑞
𝒃՚$𝑈(𝑅𝑞)
Decision R-LWE problem: distinguish 𝒂, 𝒃 from uniform 𝒂, 𝒃
×
+
=
Given blue, distinguish green from yellow
random
random
small
looks random
𝒂
𝒃
𝒔
𝒆
𝒃
Lyubashevsky–Peikert–Regev, 2010
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 21
An efficient R-LWE instantiation: NewHope
• Unauthenticated R-LWE key agreement
• Improves upon a passively secure KEM instantiation by Bos et al. (2015)• Improved analysis of the error probability → refined parameters
• Reduces communication bandwidth, improves speed
• Uses simple centered binomial distribution 𝜓𝑘: sample by computing σ𝑖=0𝑘 𝑏𝑖 − 𝑏𝑖
′ for uniform independent bits 𝑏𝑖 , 𝑏𝑖
′
• Error probability ≈ 2−60
Alkim–Ducas–Pöppelmann–Schwabe, 2016
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 22
An efficient R-LWE instantiation: NewHope
• Unauthenticated R-LWE key agreement
• Improves upon a passively secure KEM instantiation by Bos et al. (2015)• Improved analysis of the error probability → refined parameters
• Reduces communication bandwidth, improves speed
• Uses simple centered binomial distribution 𝜓𝑘: sample by computing σ𝑖=0𝑘 𝑏𝑖 − 𝑏𝑖
′ for uniform independent bits 𝑏𝑖 , 𝑏𝑖
′
• Error probability ≈ 2−60
• Parameters: 𝑛 = 1024, 𝑞 = 12289
• Estimated 281-bit classical security, 255-bit quantum security
• Communication: ~2KB each way
Alkim–Ducas–Pöppelmann–Schwabe, 2016
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 22
LWE versus R-LWE
• LWE relies on hardness of a problem on generic lattices
• R-LWE relies on hardness of a problem on ideal lattices
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 23
LWE versus R-LWE
• LWE relies on hardness of a problem on generic lattices
• R-LWE relies on hardness of a problem on ideal lattices
• Generic lattices make LWE bigger and slower
• But ideal lattices inject additional structure…
Does this provide any advantage to attackers?
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 23
LWE versus R-LWE
• LWE relies on hardness of a problem on generic lattices
• R-LWE relies on hardness of a problem on ideal lattices
• Generic lattices make LWE bigger and slower
• But ideal lattices inject additional structure…
Does this provide any advantage to attackers?
Short answer: no, so far
Long answer: there is a constant factor improvement in some R-LWE instances.
LWE remains a conservative option that offers greater security guarantees against potential future attacks.
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 23
(Unauthenticated) LWE key agreement
Alice
Secret:
Random “small” 𝐬, 𝐞՚$𝒳𝑛
Bob
Secret:
Random “small” 𝐬′, 𝐞′՚$𝒳𝑛
Public: 𝐀 ∈ ℤ𝑞𝑛×𝑛
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 24
(Unauthenticated) LWE key agreement
Alice
Secret:
Random “small” 𝐬, 𝐞՚$𝒳𝑛
Bob
Secret:
Random “small” 𝐬′, 𝐞′՚$𝒳𝑛
𝐛 = 𝐀𝐬 + 𝐞
𝐛′ = 𝐬′𝐀+ 𝐞′
Public: 𝐀 ∈ ℤ𝑞𝑛×𝑛
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 24
(Unauthenticated) LWE key agreement
Alice
Secret:
Random “small” 𝐬, 𝐞՚$𝒳𝑛
Shared key:
𝐛′𝐬 = 𝐬′𝐀𝐬 + 𝐞′𝐬 ≈ 𝐬′𝐀𝐬
Bob
Secret:
Random “small” 𝐬′, 𝐞′՚$𝒳𝑛
Shared key:
𝐬′𝐛 = 𝐬′𝐀𝐬 + 𝐬′𝐞 ≈ 𝐬′𝐀𝐬
𝐛 = 𝐀𝐬 + 𝐞
𝐛′ = 𝐬′𝐀+ 𝐞′
Public: 𝐀 ∈ ℤ𝑞𝑛×𝑛
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 24
(Unauthenticated) LWE key agreement
Alice
Secret:
Random “small” 𝐬, 𝐞՚$𝒳𝑛
Shared key:
𝐛′𝐬 = 𝐬′𝐀𝐬 + 𝐞′𝐬 ≈ 𝐬′𝐀𝐬
Bob
Secret:
Random “small” 𝐬′, 𝐞′՚$𝒳𝑛
Shared key:
𝐬′𝐛 = 𝐬′𝐀𝐬 + 𝐬′𝐞 ≈ 𝐬′𝐀𝐬
𝐛 = 𝐀𝐬 + 𝐞
𝐛′ = 𝐬′𝐀+ 𝐞′
• Need rounding to achieve exact agreement• Can use reconciliation technique by Ding et al. (2012), improvements by Peikert (2014)
Public: 𝐀 ∈ ℤ𝑞𝑛×𝑛
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 24
(Unauthenticated) LWE key agreement
• But it is possible to avoid reconciliation
• Relatively small penalty:• Example: NewHope-Simple pays a 6.25% increase in ciphertext size
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 25
(Unauthenticated) LWE key agreement
• But it is possible to avoid reconciliation
• Relatively small penalty:• Example: NewHope-Simple pays a 6.25% increase in ciphertext size
• NewHope/Frodo: generate fresh matrix 𝐀 each time• Alice can use a random seed as input to a XOF like SHAKE
• Send seed to Bob
• Safeguards against backdoors and “all-for-the-price-of-one” attacks
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 25
(Unauthenticated) LWE key agreement
• But it is possible to avoid reconciliation
• Relatively small penalty:• Example: NewHope-Simple pays a 6.25% increase in ciphertext size
• NewHope/Frodo: generate fresh matrix 𝐀 each time• Alice can use a random seed as input to a XOF like SHAKE
• Send seed to Bob
• Safeguards against backdoors and “all-for-the-price-of-one” attacks
• Crucial disadvantage: only secure against passive attackers• NewHope/Frodo are IND-CPA secure, not IND-CCA secure
• Both are ephemeral key exchange schemes: must not reuse keys
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 25
(Unauthenticated) LWE key agreement
• But it is possible to avoid reconciliation
• Relatively small penalty:• Example: NewHope-Simple pays a 6.25% increase in ciphertext size
• NewHope/Frodo: generate fresh matrix 𝐀 each time• Alice can use a random seed as input to a XOF like SHAKE
• Send seed to Bob
• Safeguards against backdoors and “all-for-the-price-of-one” attacks
• Crucial disadvantage: only secure against passive attackers• NewHope/Frodo are IND-CPA secure, not IND-CCA secure
• Both are ephemeral key exchange schemes: must not reuse keys
Derive key encapsulation mechanism (KEM) using IND-CPA to IND-CCA transformation
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 25
LWE key encapsulation
• Begin with an IND-CPA PKE• Can use a variant of Lindner–Peikert PKE scheme
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 26
LWE key encapsulation
• Begin with an IND-CPA PKE• Can use a variant of Lindner–Peikert PKE scheme
• Transform it to IND-CCA KEM using a variant of Fujisaki-Okamoto (FO) transform• Original FO transforms IND-CPA PKE to IND-CCA PKE
• Variant by Targhi–Unruh achieves security in QROM
• Hofheinz–Hovelmanns–Kiltz (HHK) give explicit variant IND-CPA PKE → IND-CCA KEM
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 26
LWE key encapsulation
• Begin with an IND-CPA PKE• Can use a variant of Lindner–Peikert PKE scheme
• Transform it to IND-CCA KEM using a variant of Fujisaki-Okamoto (FO) transform• Original FO transforms IND-CPA PKE to IND-CCA PKE
• Variant by Targhi–Unruh achieves security in QROM
• Hofheinz–Hovelmanns–Kiltz (HHK) give explicit variant IND-CPA PKE → IND-CCA KEM
• HHK transform is secure in both the classical and quantum ROM models
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 26
LWE KEM based on IND-CPA PKE
• IND-CPA PKE consists of tuple (KeyGen,CPA.Encrypt,CPA.Decrypt) and message space M
𝑝𝑘, 𝑠𝑘 ՚ KeyGen
(𝑐𝑡) ՚ CPA.Encrypt(𝑝𝑘,𝑚)
(𝑚) ՚ CPA.Decrypt(𝑠𝑘, 𝑐𝑡)
• IND-CCA KEM consists of tuple (KeyGen,Encaps,Decaps) and keyspace K
𝑝𝑘, 𝑠𝑘 ՚ KeyGen
(𝑠𝑠, 𝑐) ՚ Encaps(𝑝𝑘)
(𝑠𝑠) ՚ Decaps(𝑠𝑘, 𝑐)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 27
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
string concatanation string splitting
Encaps
Decaps
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
string concatanation string splitting
Encaps
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
Pick random message 𝑚
string concatanation string splitting
Encaps
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
string concatanation string splitting
Generate key 𝑟 = 𝑓(𝑝𝑘,𝑚) and encrypt 𝑚Encaps
Pick random message 𝑚
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
Compute shared key 𝑠𝑠 = 𝑔(𝑐𝑡, 𝑝𝑘,𝑚)
string concatanation string splitting
Generate key 𝑟 = 𝑓(𝑝𝑘,𝑚) and encrypt 𝑚Encaps
Pick random message 𝑚
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
string concatanation string splitting
Decaps
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′
Decrypt to recover 𝑚string concatanation string splitting
Decaps
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′
Reproduce encryption
string concatanation string splittingDecrypt to recover 𝑚
Decaps
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′Verify correctness
string concatanation string splittingDecrypt to recover 𝑚
Reproduce encryption
Decaps
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE KEM based on IND-CPA PKE
CPA.EncryptHash𝑝𝑘
𝑚
𝑟 𝑐𝑡
𝑑
𝐾
𝑐Hash
𝑐
𝑠𝑠
CPA.Decrypt𝑠𝑠𝑘
𝑐𝑐𝑡
𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′
𝑑′
𝑑
𝑧
𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
𝑠𝑠 = 𝐻(𝑧, 𝑐)
𝑦𝑒𝑠
𝑛𝑜
𝐾′
string concatanation string splitting
Encaps
Decaps
𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 28
LWE key encapsulation: à la Kyber
KeyGen
1. Random values 𝑧, 𝑠𝐴, 𝑠𝐸՚$𝑈 0,1 256
2. Generate A using seed 𝑠𝐴3. Sample 𝑠, 𝑒 using 𝑠𝐸4. Compress 𝑏 = A𝑠 + 𝑒
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 29
LWE key encapsulation: à la Kyber
KeyGen
1. Random values 𝑧, 𝑠𝐴, 𝑠𝐸՚$𝑈 0,1 256
2. Generate A using seed 𝑠𝐴3. Sample 𝑠, 𝑒 using 𝑠𝐸4. Compress 𝑏 = A𝑠 + 𝑒
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 29
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
encryption
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
𝑐 = (𝑐1, 𝑐2, 𝑑)
Decaps
1. Generate A using seed 𝑠𝐴2.𝑚′ = Compress(𝑐2 − 𝑠𝑇𝑐1)
3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′
4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟′
5. Compress 𝑐1′ = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2′ = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚′)
7. If 𝑐1′ , 𝑐2
′ , 𝑑 = 𝑐 then
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
Else 𝑠𝑠 = 𝐻(𝑧, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
encryption
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
𝑐 = (𝑐1, 𝑐2, 𝑑)
Decaps
1. Generate A using seed 𝑠𝐴2.𝑚′ = Compress(𝑐2 − 𝑠𝑇𝑐1)
3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′
4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟′
5. Compress 𝑐1′ = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2′ = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚′)
7. If 𝑐1′ , 𝑐2
′ , 𝑑 = 𝑐 then
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
Else 𝑠𝑠 = 𝐻(𝑧, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
encryption
decryption
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
𝑐 = (𝑐1, 𝑐2, 𝑑)
Decaps
1. Generate A using seed 𝑠𝐴2.𝑚′ = Compress(𝑐2 − 𝑠𝑇𝑐1)
3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′
4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟′
5. Compress 𝑐1′ = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2′ = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚′)
7. If 𝑐1′ , 𝑐2
′ , 𝑑 = 𝑐 then
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
Else 𝑠𝑠 = 𝐻(𝑧, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
encryption
encryption
decryption
LWE key encapsulation: à la KyberEncaps
1. message 𝑚՚$𝑈 0,1 256
2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚
3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟
5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)
Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)
Decaps
1. Generate A using seed 𝑠𝐴2.𝑚′ = Compress(𝑐2 − 𝑠𝑇𝑐1)
3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′
4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟′
5. Compress 𝑐1′ = 𝐴𝑇𝑠′ + 𝑒′
6. Compress 𝑐2′ = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚′)
7. If 𝑐1′ , 𝑐2
′ , 𝑑 = 𝑐 then
𝑠𝑠 = 𝐻(𝐾′, 𝑐)
Else 𝑠𝑠 = 𝐻(𝑧, 𝑐)
Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)
Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)
In Kyber:
• 𝐺, 𝐻 are instantiated with SHAKE-128
• Expansion of private and public seeds is done with cSHAKE-128
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 30
𝑐 = (𝑐1, 𝑐2, 𝑑)
LWE key encapsulation: recent proposals
• Kyber (Bos–Ducas–Kiltz–Schwabe–Stehlé, 2017) https://eprint.iacr.org/2017/634.pdf
• Based on hardness of a problem in module lattices (M-LWE)
• Increases module dimension, which makes some recent lattice attacks inapplicable
• HILA5 (Saarinen, 2017) https://github.com/mjosaarinen/hila5
• Based on hardness of a problem in ring lattices (R-LWE)
• Improved reconciliation technique based on Peikert’s technique + efficient error correction
• ThreeBears (Hamburg, 2017) https://www.shiftleft.org/papers/threebears
• Based on hardness of a problem in module lattices (M-LWE)
• Replaces polynomial ring for a pseudo-Mersenne prime field
• Based on Kyber’s design, and exploits Melas BCH error correcting technique
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 31
LWE key encapsulation: recent proposals
• FrodoKEM (Alkim–Bos–Ducas–Longa–Mironov–Naehrig–Nikolaenko–Peikert–Raghunathan–Stebila, 2017)• Conservative Frodo adapted to IND-CCA KEM
• Based on hardness of a problem in generic lattices (LWE)
• New improved parameters: supporting reduction from worst-case BDD variant
• New improved implementation
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 32
LWE key encapsulation: recent proposals
• FrodoKEM (Alkim–Bos–Ducas–Longa–Mironov–Naehrig–Nikolaenko–Peikert–Raghunathan–Stebila, 2017)• Conservative Frodo adapted to IND-CCA KEM
• Based on hardness of a problem in generic lattices (LWE)
• New improved parameters: supporting reduction from worst-case BDD variant
• New improved implementation
Software and full details coming soon!
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 32
very small large
Performance of post-quantum KEMs
Primitive Quantum sec. Problem Speed Comm.
Classical
RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB
ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB
Passively secure KEMs (IND-CPA)
NewHope 206 bits R-LWE 0.06 ms 3.8 KB
Frodo 130 bits LWE 1.4 ms 22 KB
IND-CCA secure KEMs
NTRU-KEM 123 bits NTRU 0.03 ms 1.3 KB
Kyber 161 bits M-LWE 0.07 ms 1.2 KB
FrodoKEM 103–150 bits LWE 1.2–2.3 ms 9.5–15.4 KB
SIDH 84–125 bits isogenies 10–30 ms 0.4–0.6 KB
very fast slow
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 33
Summary
• Learning with Errors supports highly flexible and efficient cryptographic schemes that are conjectured to be quantum resistant
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 34
Summary
• Learning with Errors supports highly flexible and efficient cryptographic schemes that are conjectured to be quantum resistant
• While ring and module LWE offer great speed performance and reduced bandwidth, they introduce additional structure into the underlying lattices
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 34
Summary
• Learning with Errors supports highly flexible and efficient cryptographic schemes that are conjectured to be quantum resistant
• While ring and module LWE offer great speed performance and reduced bandwidth, they introduce additional structure into the underlying lattices
• Frodo (FrodoKEM), based on generic lattices, offers a very conservative yet reasonably efficient PQ alternative
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 34
Summary
• Learning with Errors supports highly flexible and efficient cryptographic schemes that are conjectured to be quantum resistant
• While ring and module LWE offer great speed performance and reduced bandwidth, they introduce additional structure into the underlying lattices
• Frodo (FrodoKEM), based on generic lattices, offers a very conservative yet reasonably efficient PQ alternative
• More cryptanalysis is needed to fully understand security implications of many design decisions
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 34
References
• E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe. Post-quantum key exchange - a new hope, USENIX Security, 2015.
• J.W. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, D. Stebila, Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE, ACM CCS 2016.
• J.W. Bos, C. Costello, M. Naehrig, D. Stebila, Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem, IEEE Symposium on Security and Privacy 2015.
• J.W. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J.M. Schanck, P. Schwabe, D. Stehlé,CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM, Cryptology ePrint Archive, Report 2017/634.
• J. Ding, X. Xie, X. Lin. A simple provably secure key exchange scheme based on the learning with errors problem, Cryptology ePrint Archive, Report 2012/688.
• R. Lindner and C. Peikert. Better key sizes (and attacks) for LWE-based encryption, CT-RSA 2011.
• V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings, Eurocrypt2010.
• C. Peikert. Lattice cryptography for the Internet, PQCrypto 2014.
• O. Regev. On lattices, learning with errors, random linear codes, and cryptography, STOC 2005.
ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 35
https://www.microsoft.com/en-us/research/people/plonga/