Lattice-based Lattice-based CryptographyCryptographyLattice-based Lattice-based CryptographyCryptography

Oded RegevOded RegevTel-Aviv UniversityTel-Aviv University

Oded RegevOded RegevTel-Aviv UniversityTel-Aviv University

CRYPTO 2006, Santa Barbara, CACRYPTO 2006, Santa Barbara, CACRYPTO 2006, Santa Barbara, CACRYPTO 2006, Santa Barbara, CA

OutlineOutline

• Introduction to latticesIntroduction to lattices•Survey of lattice-based cryptographySurvey of lattice-based cryptography

•Hash functions Hash functions [Ajtai96,…][Ajtai96,…] •Public-key cryptography Public-key cryptography

[AjtaiDwork97,…][AjtaiDwork97,…] •Construction of a simple lattice-based Construction of a simple lattice-based

hash functionhash function•Open ProblemsOpen Problems

• For any vectors vFor any vectors v11,…,v,…,vnn in in RRnn, the lattice spanned by , the lattice spanned by vv11,…,v,…,vnn is the set of points is the set of points

L={aL={a11vv11+…+a+…+annvvnn| a| ai i

integers}integers}

• These vectors form a These vectors form a basisbasis of L of L

LatticeLattice

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

• Geometric objects with rich structure• Investigated since 1800 by Lagrange, Gauss,

Hermite, and Minkowski• More recent developments:

– LLL algorithm: finds ‘somewhat short’ vectors in lattices [LenstraLenstraLovàsz82]. Applications include:• Factoring polynomials over the rationals• Solving integer programs in fixed dimension• Cryptanalysis:

– Breaking knapsack cryptosystems [LagariasOdlyzko85]

– Breaking special cases of RSA [Coppersmith01]

– And more…

– Ajtai’s lattice-based cryptographic construction [Ajtai96]

History of Lattices

• SVP:SVP: given a lattice, find a shortest (nonzero) given a lattice, find a shortest (nonzero) vectorvector

--approximate SVP:approximate SVP: given a lattice, find a vector given a lattice, find a vector of length at most of length at most times the shortest times the shortest

• Other lattice problems: SIVP, SBP, etc.Other lattice problems: SIVP, SBP, etc.

Shortest Vector Problem Shortest Vector Problem (SVP)(SVP)

0

v2

v1

3v2-4v1

• We’ll be interested in -approximate SVP for =poly(n)– Best known algorithm runs in time 2n

[AjtaiKumarSivakumar01]

– On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04]

• Best poly-time algorithm solves for =2nloglogn/logn [LLL82, Schnorr85]

• NP-hard for sub-polynomial [Khot04]

Lattice Problems Seem Hard

2n loglogn/logn2n loglogn/logn

NP-hardNP-hard PP

2^(log1-n)2^(log1-n) nnnn

NP∩coNPNP∩coNP cryptocrypto

1111

Survey of Survey of Lattice-based CryptographyLattice-based Cryptography

• ‘Standard’ cryptography Based on hardness

of factoring, discrete log, etc.

Based on an average-case assumption

Broken by quantum algorithms

Require modular exponentiation etc.

Why use lattice-based cryptography

• Lattice-based Lattice-based cryptography cryptography Based on hardness Based on hardness

of lattice problemsof lattice problems

Based on a worst-Based on a worst-case assumptioncase assumption

(Still) Not broken (Still) Not broken by quantum by quantum algorithmsalgorithms

Very simple Very simple computationscomputations

• A CRHF is a function f:{0,1}r{0,1}s with r>s such that it is hard to find collisions, i.e.,

xy s.t. f(x)=f(y)

• First lattice-based CRHF given in [Ajtai96] – Based on the worst-case hardness of

n8-approximate SVP• Security improved in subsequent works

[GoldreichGoldwasserHalevi97, CaiNerurkar97, Micciancio02, MicciancioR04]

• Current state-of-the-art is a CRHF based on n-approximate SVP [MicciancioR04]

Collision-Resistant Hash Functions

The Modular Subset-Sum Function

• Let N be a big integer, and m=2logLet N be a big integer, and m=2log22NN• Choose aChoose a11,…,a,…,amm uniformly in {0,…,N-1}. uniformly in {0,…,N-1}.

Then define fThen define faa11,…,a,…,amm:{0,1}:{0,1}mm{0,…,N-1} by{0,…,N-1} by

ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii mod N mod N

• Since m>logSince m>log22N, (many) collisions existN, (many) collisions exist• We will later see a proof of security:We will later see a proof of security:

• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen f, even with probability nchosen f, even with probability n-100-100 implies a implies a solution to solution to anyany instance of approximate-SVP instance of approximate-SVP

• In the constructions above, for security based on n-dimensional lattices, O(n2) bits are necessary to specify a hash function

• More efficient constructions were given in [Micciancio04, LyubashevskyMicciancio06, PeikertRosen06]– Only O(n) bits needed to specify a hash

function– Based on worst-case hardness of

approximate-SVP on a restricted class of lattices known as cyclic lattices

Recent Work: More Efficient CRHFs

•A PKC allows parties to communicate securely without having to agree on a secret key beforehand

• First lattice-based PKC presented in [AjtaiDwork97] – Some improvements [GoldreichGoldwasserHalevi97,

R03]• Security based on the worst-case hardness of a

special case of SVP known as unique-SVP

•Some disadvantages: •Based only on unique-SVP•Impractical (think of n as100):

•Public key size O(n4)•Encryption expands by O(n2)

Public-key Cryptosystem

A Recent Public-key A Recent Public-key Cryptosystem Cryptosystem [Ajtai05][Ajtai05]

• Main advantages: Main advantages:

•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)

• Some disadvantages: Some disadvantages: •Not based on lattice problemsNot based on lattice problems•No worst-case hardnessNo worst-case hardness

Another Recent Public-key Another Recent Public-key CryptosystemCryptosystem [R05][R05]

• Main advantages: Main advantages:

•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)

•Worst-case hardnessWorst-case hardness•Based on the main lattice problems (SVP, Based on the main lattice problems (SVP,

SIVP)SIVP)

• One disadvantage:One disadvantage:• Breaking the cryptosystem implies an Breaking the cryptosystem implies an

efficient efficient quantumquantum algorithm for lattices algorithm for lattices

Example of a lattice-based PKC Example of a lattice-based PKC [R05][R05]• Everything modulo 4Everything modulo 4

• Private key: 4 random numbersPrivate key: 4 random numbers11 22 00 33

• Public key: a 6x4 matrix and approximate inner Public key: a 6x4 matrix and approximate inner productproduct

• Encrypt the bit 0:Encrypt the bit 0:

• Encrypt the bit 1:Encrypt the bit 1:

2·1 + 0·2 + 1·0 + 2·3 ≈ 11·1 + 2·2 + 2·0 + 3·3 ≈ 20·1 + 2·2 + 0·0 + 3·3 ≈ 11·1 + 2·2 + 0·0 + 2·3 ≈ 00·1 + 3·2 + 1·0 + 3·3 ≈ 33·1 + 3·2 + 0·0 + 2·3 ≈ 2

2 0 1 21 2 2 30 2 0 31 2 0 20 3 1 33 3 0 2

2·? + 0·? + 1·? + 2·? ≈ 11·? + 2·? + 2·? + 3·? ≈ 20·? + 2·? + 0·? + 3·? ≈ 11·? + 2·? + 0·? + 2·? ≈ 00·? + 3·? + 1·? + 3·? ≈ 33·? + 3·? + 0·? + 2·? ≈ 2

3·? + 2·? + 1·? + 0·? ≈ 3

2·1 + 0·2 + 1·0 + 2·3 = 01·1 + 2·2 + 2·0 + 3·3 = 20·1 + 2·2 + 0·0 + 3·3 = 11·1 + 2·2 + 0·0 + 2·3 = 30·1 + 3·2 + 1·0 + 3·3 = 33·1 + 3·2 + 0·0 + 2·3 = 3

3·? + 2·? + 1·? + 0·? ≈ 1

Construction of a Lattice-based Construction of a Lattice-based Collision Resistant Hash Collision Resistant Hash

FunctionFunction

Blurring a PictureBlurring a Picture

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

Blurring a LatticeBlurring a Lattice

The Smoothing Radius• Define the Define the smoothing radiussmoothing radius ==(L)>0 as (L)>0 as

the smallest real such that the smallest real such that adding adding Gaussian blur of radius Gaussian blur of radius to L yields an to L yields an essentially uniform distributionessentially uniform distribution

• The radius The radius was analyzed in was analyzed in [MicciancioR04][MicciancioR04] based on Fourier analysis based on Fourier analysis and and [Banaszczyk93][Banaszczyk93]

• It was shown that It was shown that is ‘small’ in the is ‘small’ in the sense that finding vectors of length sense that finding vectors of length poly(n)poly(n)(L) (L) implies solution to implies solution to poly(n)-poly(n)-approximate approximate SVPSVP

An Alternative Definition

•Define h:RDefine h:Rnn[0,1)[0,1)nn that maps any x= that maps any x=ΣΣiivvii toto

h(x)=(h(x)=(11,…,,…,nn) mod 1.) mod 1.• E.g., any xE.g., any xL has h(x)=(0,…,0)L has h(x)=(0,…,0)

•Then the alternative way to define Then the alternative way to define is as:is as:• The smallest real such that if x is The smallest real such that if x is

sampled from a Gaussian distribution sampled from a Gaussian distribution centered around 0 of radius centered around 0 of radius , then , then h(x) is ‘essentially’ uniform on [0,1)h(x) is ‘essentially’ uniform on [0,1)nn

00

xx11xx22

xx33

xx44

((0,00,0)) (1,0)(1,0)

(0,1)(0,1) (1,1)(1,1)

h(x3)

RRnn [0,1)[0,1)nn

h(x2)

h(x4)h(x1)

Our CRHF• Fix the dimension n, let q=2Fix the dimension n, let q=22n2n, and , and

m=4nm=4n22

• Choose aChoose a11,…,a,…,amm uniformly in Z uniformly in Zqqnn. Then . Then

define fdefine faa11,…,a,…,amm:{0,1}:{0,1}mm{0,1}{0,1}nlognlog22qq by by

ffaa11,…,a,…,amm(b(b11,…,b,…,bmm) = ) = ΣΣbbiiaaii (mod q) (mod q)

• Since m>nlogSince m>nlog22q, (many) collisions existq, (many) collisions exist• We now prove security by showing that:We now prove security by showing that:

• Being able to find a collision in a randomly Being able to find a collision in a randomly chosen fchosen faa11,…,a,…,amm

, even with probability n, even with probability n-100-100, , implies a solution to implies a solution to anyany instance of poly(n)- instance of poly(n)-approximate SVP approximate SVP

Security Proof• Assume there exists an algorithm Assume there exists an algorithm

CollisionFindCollisionFind that given that given aa11,…,a,…,amm chosen chosen uniformly in uniformly in ZZqq

nn, finds with some non-, finds with some non-negligible probability bnegligible probability b11,…,b,…,bmm{-1,0,1} {-1,0,1} (not all zero) such that (not all zero) such that

ΣΣbbiiaai i = 0 (mod q).= 0 (mod q).• This implies an algorithm This implies an algorithm CollisionFind’CollisionFind’

that given that given aa11,…,a,…,amm chosen uniformly from chosen uniformly from [0,1)[0,1)nn, finds with some , finds with some non-negligible non-negligible probability bprobability b11,…,b,…,bmm{-1,0,1} (not all {-1,0,1} (not all zero) such that zero) such that

ΣΣbbiiaai i (0,…,0) (mod 1) (0,…,0) (mod 1)(up to (up to m/q in each coordinate)m/q in each coordinate)

CollisionFind’

((0,00,0)) (1,0)(1,0)

(0,1)(0,1) (1,1)(1,1)

a1

a2a3

a4

a5

Output: “aOutput: “a11+a+a22-a-a44+a+a55(0,…,0) (mod 1)”(0,…,0) (mod 1)”

a6

Security Proof• Our goal is to show that using Our goal is to show that using

CollisionFind’CollisionFind’ we can find a nonzero we can find a nonzero vector of length at most poly(n)vector of length at most poly(n)(L) (L) in in anyany given lattice L given lattice L

• So let L be a given lattice with basis vSo let L be a given lattice with basis v11,,…,v…,vnn

• By using the LLL algorithm, we can By using the LLL algorithm, we can assume that vassume that v11,…,v,…,vnn are not are not ‘unreasonably’ long: say, of length at ‘unreasonably’ long: say, of length at most 2most 2nn(L)(L)

Security Proof – Main Procedure• Sample m vectors xSample m vectors x11,…,x,…,xmm from the from the

Gaussian distribution around 0 of radius Gaussian distribution around 0 of radius

• Compute aCompute a11:=h(x:=h(x11),…,a),…,amm:=h(x:=h(xmm))• Each aEach aii is uniformly distributed in [0,1) is uniformly distributed in [0,1)nn

• Apply Apply CollisionFind’CollisionFind’ to obtain to obtain bb11,…,b,…,bm m {-1, 0,1} such that {-1, 0,1} such that

ΣΣbbiih(xh(xii)) ( (m/qm/q,…,,…,m/qm/q) (mod 1)) (mod 1)

• Define y=Define y=ΣΣbbiixxii. Then,. Then,• y is y is shortshort (of length (of length mm))• y is y is extremely close to a lattice pointextremely close to a lattice point

since h(y)=since h(y)=ΣΣbbiih(xh(xii))((m/qm/q,…,,…,m/qm/q) ) (mod 1)(mod 1)

Security Proof – Main Procedure• Write y=Write y=ΣΣiivvii for some reals for some reals 11,…,,…,nn

• So each So each ii is within is within m/q of an integerm/q of an integer

• Define the lattice vector y’=Define the lattice vector y’=ΣΣiivvii

• The distanceThe distance

• So y’ is a So y’ is a lattice vectorlattice vector of length at most of length at most (m+1)(m+1)

00

xx11

xx22

xx33

xx44

CollisionFind’CollisionFind’(a(a11,a,a22,a,a33,a,a44))“-a“-a22-a-a33+a+a440 0 (mod 1)”(mod 1)”

yyY’Y’

Security Proof – One Last Issue

• How to guarantee that y’ is How to guarantee that y’ is nonzerononzero??• Maybe Maybe CollisionFind’ CollisionFind’ acts in some acts in some

‘malicious’ way, trying to make y’ zero‘malicious’ way, trying to make y’ zero• It can be shown that aIt can be shown that aii does not contain does not contain

enough information about xenough information about xii

• In other words, conditioned on any fixed In other words, conditioned on any fixed aaii, x, xii still has enough randomness to still has enough randomness to guarantee that y’ is nonzero with very guarantee that y’ is nonzero with very high probabilityhigh probability

All lattices look the same after All lattices look the same after adding some small amount of blur adding some small amount of blur

Security Proof – Conclusion• By a single call to the collision finder, we By a single call to the collision finder, we

can find in can find in anyany lattice, a nonzero vector lattice, a nonzero vector of length at most (m+1)of length at most (m+1) with some non- with some non-negligible probabilitynegligible probability

• Obviously, by repeating this procedure Obviously, by repeating this procedure we can obtain such a vector with very we can obtain such a vector with very high probabilityhigh probability

• The essential idea:The essential idea:

Open ProblemsOpen Problems

•CryptanalysisCryptanalysis•Current attacks limited to low Current attacks limited to low

dimension dimension [NguyenStern98][NguyenStern98]

•New systems New systems [Ajtai05,R05][Ajtai05,R05] are efficient are efficient and can be easily used with dimension and can be easily used with dimension 100+100+

• Improved cryptosystemsImproved cryptosystems•Construct the ‘ultimate’ lattice-based Construct the ‘ultimate’ lattice-based

cryptosystem? (based on SVP, cryptosystem? (based on SVP, efficient)efficient)

•Construct more efficient schemes Construct more efficient schemes based on special classes of lattices?based on special classes of lattices?

Open ProblemsOpen Problems

•Comparison with number theoretic Comparison with number theoretic cryptographycryptography•E.g., can one factor integers using an E.g., can one factor integers using an

oracle for n-approximate SVP?oracle for n-approximate SVP?•Signature schemesSignature schemes

•Can one construct provably secure Can one construct provably secure lattice-based signature schemes?lattice-based signature schemes?

•Security against chosen-ciphertext Security against chosen-ciphertext attacksattacks•Known lattice-based cryptosystems are Known lattice-based cryptosystems are

not secure against CCAnot secure against CCA