Lattice-Based Cryptography

Lattice-Based Cryptography

Cryptographic Hardness Assumptions

Factoring is hard

Discrete Log Problem is hard

Diffie-Hellman problem is hard

Decisional Diffie-Hellman problem is hard

Problems involving Elliptic Curves are hard

Many assumptions

Why Do We Need More Assumptions?

Number theoretic functions are rather slow

Factoring, Discrete Log, Elliptic curves are “of the same flavor”

Quantum computers break all number theoretic assumptions

Lattice-Based Cryptography

Seemingly very different assumptions from factoring, discrete log, elliptic curves

Simple descriptions and implementations

Very parallelizable

Resists quantum attacks (we think)

Security based on worst-case problems

Average-Case Assumptions vs.Worst-Case Assumptions

Example: Want to base a scheme on factoring

Need to generate a “hard-to-factor” N

How?

Need a “hard distribution”

Picking a Hard-to-Factor N

How do you pick a “good” N?Just pick p,q as random large primes and set N=pq?

(1978) Largest prime factors of p-1,q-1 should be large

(1981) p+1 and q+1 should have a large prime factor

(1982) If the largest prime factor of p-1 and q-1 is p' and q', then p'-1 and q'-1 should have large prime factors

(1984) If the largest prime factor of p+1 and q+1 is p' and q', then p'-1 and q'-1 should have large prime factors

...

Picking a Hard-to-Factor N

Need to know a probability distribution over Z such that picking an N according to it will make N hard to factor

Wishful thinking: There is a distribution D such that factoring in the worst case reduces to factoring numbers chosen according to D

Lattice Problems

Small Integer Solution

Problem (SIS)

Learning With Errors

Problem (LWE)

One-Way FunctionsCollision-Resistant Hash

FunctionsDigital Signatures

Identification Schemes

(Minicrypt)

Public Key EncryptionOblivious Transfer

Identity-Based EncryptionHierarchical Identity-Based

Encryption

(Cryptomania)

Worst-Case

Average-Case

Shortest Independent Vector Problem (SIVP)

Find n short linearly independent vectors



Approximate Shortest Independent Vector Problem

Find n pretty short linearly independent vectors

Lattice Problems


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

BDD


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

SIVPquantum

Small Integer Solution Problem

a1

a2

am in Z

qn

Find: non-trivial solution z1,...,z

m in {-1,0,1} such that:

z1

z2

zm

+ + … + = 0

Given: Random vectors a1,...,a

m in Z

qn

Observations:If size of zi is not restricted, then the problem is

trivialImmediately implies a collision-resistant hash function

BDD


Problem (SIS)


Problem (LWE)




(Minicrypt)



Encryption

(Cryptomania)

Worst-Case

Average-Case

SIVP

For Any Lattice ...

Consider the distribution obtained by:1. Pick a uniformly random lattice point2. Sample from a Gaussian distribution centered

at the lattice point

One-Dimensional Gaussian Distribution

Two-Dimensional Gaussian Distribution

Image courtesy of wikipedia

Gaussians on Lattice Points

Image courtesy of Oded Regev









Standard deviation of Gaussian that leads to the uniform distribution is related to the length of the

longest vector in SIVP solution

Worst-Case to Average-Case Reduction



0 1 2 021 1 2 0 1

01

2

01

20

12

Important: All lattice points have label (0,0) and

All points labeled (0,0) are lattice points (0n in n dimensional lattices)

0 1 2 021 1 2 0 1

01

2

01

20

12

How to use the SIS oracle to find a short vector in any lattice:Repeat m times:

Pick a random lattice point

0 1 2 021 1 2 0 1

01

2

01

20

12


Pick a random lattice pointGaussian sample a point around the lattice point

0 1 2 021 1 2 0 1

01

2

01

20

12



All the samples are uniform in Zq

n

0 1 2 021 1 2 0 1

01

2

01

20

12



Give the m “Zqn samples” a1,...,am to the SIS oracle

Oracle outputs z1,...,zm in {-1,0,1} such that a1z1 + … +

amzm = 0

0 1 2 021 1 2 0 1

01

2

01

20

12



amzm = 0

= si

= vi

s1z1+...+smzm is a lattice vector

(v1+r1)z1+...+(vm+rm)zm is a lattice vector

(v1z1+...+vmzm) + (r1z1+...+rmzm) is a lattice

vectorSo r1z1+...+rmzm is a lattice vector

vi + ri =

si

0 1 2 021 1 2 0 1

01

2

01

20

12



amzm = 0

= si

= vi

So r1z1+...+rmzm is a lattice vector

ri are short vectors, zi are in {-1,0,1}

So r1z1+...+rmzm is a short lattice vectorvi + ri =

si

Some Technicalities

You can’t sample a “uniformly random” lattice point

In the proofs, we work with Rn / L rather than Rn

So you don't need to sample a random point lattice point

What if r1z1+...+rmzm is 0?

Can show that with high probability it isn't

Given an si, there are multiple possible ri

• Gaussian sampling doesn’t give us points on the grid

You can round to a grid point

Must be careful to bound the “rounding distance”

Documents

Lattice-Based Cryptography