Download Intro to Lattice-Based Encryption

Document related concepts

Factorization wikipedia , lookup

Birkhoff's representation theorem wikipedia , lookup

Lattice (order) wikipedia , lookup

Transcript
Lattice-Based Cryptography
Vadim Lyubashevsky
Cryptography
Allows for secure communication in the presence of malicious parties
2
Cryptography
Allows for secure communication in the presence of malicious parties
3
Cryptography
Allows for secure communication in the presence of malicious parties
4
Symmetric-Key Cryptography
Secret key = s
Symmetric-Key Cryptography
Will still exist if quantum computers are built
Secret Key = s
Secret Key = s
Public-Key Cryptography
Secret Key = s
Public Key = p
Public-Key Cryptography
Secret Key = s
Public Key = p
Public Key = p
Public Key = p
Mathematical Assumptions for
Public-Key Cryptography
Computing discrete logs is hard
Factoring is hard
gx=y mod p
N=pq
Mostly problems from number theory
All broken once a quantum computer is built
9
Consequence of Quantum Computing
Current public key schemes will be broken
Quantum computers will recover all of today’s secrets
+
=
10
Consequence of Quantum Computing
Need to eventually migrate all internet
security to quantum-resistant schemes
Do it only once!
11
Assumptions for Quantum-Resilient
Public-Key Cryptography
Computing discrete logs is hard
Factoring is hard
gx=y mod p
N=pq
Finding short vectors in lattices is hard
(f,g) in Z[x]/(xn+1)
12
Ultimate Goal
Construct practical, quantum-resilient cryptography
for every device
13
The Critical Schemes
Digital Signatures
Key Exchange
(Public Key Encryption)
14
Practical Lattice-Based Constructions
Key Exchange:
Digital Signatures:
NTRU public-key
encryption (1998)
Recent (2013) schemes
(e.g. BLISS)
Ring-LWE public-key
encryption (2010)
15
Lattice Cryptography ≈ Knapsack Cryptography
(done correctly)
16
THE SUBSET SUM (KNAPSACK) PROBLEM
Subset Sum Problem
ai , T in ZM
ai are chosen randomly
T is a sum of a random subset of the ai
a1
a2
a3 …
an
Find a subset of ai's
that sums to T (mod M)
T
Subset Sum Problem
ai , T in Z49
ai are chosen randomly
T is a sum of a random subset of the ai
15
31
24
3
14
15 + 31 + 14 = 11 (mod 49)
11
How Hard is Subset Sum?
ai , T in ZM
a1
a2
a3 …
an
T
Find a subset of ai's that sums to T (mod M)
Hardness Depends on:
• Size of n and M
• Relationship between n and M
Complexity of Solving Subset Sum
M
2log²(n)
poly(n)
“generalized birthday attacks”
[FlaPrz05,Lyu06,Sha08]
2n 2cn
2n log(n)
2Ω(n)
run-time
2n²
poly(n)
“lattice reduction attacks”
[LagOdl85,Fri86]
Subset Sum is “Pseudorandom”
“Computationally Indistinguishable”
DX
X1
X2
…
Xk
…
?
=
D?
Z1
Z2
…
Zk
…
?
=
DY
Y1
Y2
…
Yk
…
Subset Sum is “Pseudorandom”
[Impagliazzo-Naor 1989]:
For random a1,...,an in ZM and random x1,...,xn in {0,1},
distinguishing the distribution
(a1,...,an, a1x1+...+anxn mod M)
from the uniform distribution U(Zn+1
M )
is as hard as finding x1,...,xn
What About Public-Key Encryption?
Many early attempts
None of them had proofs of security
All seem to be broken
CRYPTOSYSTEM BASED ON SUBSET SUM
[L, PALACIO, SEGEV 2010]
Facts About Addition
Want to add 4679 + 3907 + 8465 + 1343 mod 104
2
4
3
8
1
8
1 2
6
9
4
3
3
7
0
6
4
9
9
7
5
3
4
4
3
8
1
6
6
9
4
3
2
7
0
6
4
7
9
7
5
3
4
Adding n numbers (written in base q) modulo qm → carries < n
If q>n , then Adding with carries ≈ Adding without carries
(i.e. in ZM)
(i.e. in Znq )
So...
1 1 0 1
=
9
7
5
3
1 1 0 1
8 1 1 9
+
2 1 1 0
=
0 2 2 9
4
3
8
1
6
9
4
6
7
0
6
4
NOT Pseudorandom!
Pseudorandom based on
Subset Sum!
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
Column Subset Sum Addition
Is Also Pseudorandom
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
1
1
0
1
+
1
1
=
1
0
0
9
8
0
“Hybrid” Subset Sum Addition Is Also
Pseudorandom
1 0 0 1
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
0
9
8
0
+
1 1 1 0 0
=
6 3 2 2 0
pseudorandom
Encryption Scheme
A
s +
= t
r
A
t
{0,1}n
+
Znq x n
{0,1}n
Public Key
0
+
=
u
m
v
Encryption Scheme
A
s +
= t
r
A
t
+
0
Is pseudo-random based on the hardness
of the subset sum problem
+
=
u
m
v
Encryption Scheme
A
s +
r
= t
A
t
+
0
v =
r
=
r
+
A
s +
+
A
+
s
+
m
m
+
=
u
m
v
Encryption Scheme
A
s +
r
= t
A
t
+
0
u
s
=
r
=
r
A
+
A
s
=
u
s
+
≈ v -
+
m
m
v
Encryption Scheme
A
s +
r
= t
A
t
+
0
+
=
u
v -
u
=
s
+
m
represent 0 by m=0
represent 1 by m=(q-1)/2
m
v
CRYPTOSYSTEM BASED ON LWE
[REGEV 2005]
Encryption Scheme
(what we needed)
A
s +
= t
r
A
t
+
“small”
Pseudorandom
0
+
=
u
m
v
Picking the “Carries”
• In Subset Sum: carries were deterministic
• What if … we pick the “carries” at random
from some distribution?
So...
9
7
5
3
1 1 0 1
+
1 3 2 1
+
2 1 1 0
=
7 2 0 3
=
0 2 2 9
2 3 0 1 4
3
8
1
Pseudorandom based on
LWE [Reg ‘05]
6
9
4
6
7
0
6
4
Pseudorandom
based on
Subset Sum
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
(Decision) LWE Problem
World 1
a1
a2
...
am
World 2
a1
a2
s
+ e
= b
...
am
b
uniformly
random in Zpm
Theorem [Regev '05] : There is a polynomial-time quantum
reduction from solving certain lattice problems in the worst-case
to solving LWE.
LWE vs. Subset Sum
• The Subset Sum assumption has “deterministic
noise” (is this useful for anything?)
• The LWE assumption is more “versatile”
a1
a2
n2
...
LWE Problem
Subset Sum Problem
s
s
+ e
= b
n2
a1 a2 … an
am
n
n
+
= b
LWE / Subset Sum Encryption
A
s +
r
= t
A
t
+
0
n-bit Encryption
Have
Want
Public Key Size
Õ(n)
O(n)
Secret Key Size
Õ(n)
O(n)
Ciphertext Expansion Õ(n)
O(1)
Encryption Time
Õ(n3)
O(n)
Decryption Time
Õ(n2)
O(n)
+
=
u
m
v
CRYPTOSYSTEM BASED ON RING-LWE
[L, PEIKERT, REGEV 2010]
Source of Inefficiency of LWE
A
s +
= t
Getting n extra random-looking
numbers (i.e. t) from a secret s requires
n2 random numbers (i.e. A) and an error
vector
Wishful thinking: get n random numbers and produce n
pseudo-random numbers in “one shot”
2
1
8
0
7
3
*
2
1
+
=
Use Polynomials
f(x) is a polynomial xn + an-1xn-1 + … + a1x + a0
R = Zp[x]/(f(x)) is a polynomial ring with
•
•
Addition mod p
Polynomial multiplication mod p and f(x)
Each element of R consists of n elements in Zp
In R:
•
•
small+small = small
small*small = small (depending on f(x) )
Ring-LWE cryptosystem
Encryption
Secret Key
a s +
= t
r a +
= u
r t +
+ m = v
Public Key
r t +
r
Decryption
+ m - r a +
s
a s +
+
+ m - r a +
+
-
s + m =
r
+ m
=
s
v - u s
Security
a s +
= t
Pseudorandom??
r a +
= u
r t +
+ m = v
Decision
Learning With Errors over Rings
World 1
a1
World 2
s
b1
a1
b1
a2
b2
a2
b2
a3
b3
a3
b3
…
…
…
bm
am
bm
…
am
+
=
Theorem [LPR ‘10]: In cyclotomic rings, there is a quantum reduction from solving
worst-case problems in ideal lattices to solving Decision-RLWE
Security
a s +
= t
r a +
= u
r t +
+ m = v
Pseudorandom based on
Decision Ring-LWE!!
Ring-LWE Encryption
a s +
= t
r a +
= u
r t +
+ m = v
n-bit Encryption
From LWE
From Ring-LWE
Public Key Size
Õ(n)
Õ(n)
Secret Key Size
Õ(n)
Õ(n)
Ciphertext Expansion
Õ(n)
Õ(1)
Encryption Time
Õ(n3)
Õ(n)
Decryption Time
Õ(n2)
Õ(n)
Where are the lattices?
51
Subset Sum and Lattices
An integer lattice is an additive subgroup of Zn
a1 a2 a3 … an
T=
aixi mod M for xi in {0,1}
a = (a1, a2, … , an, -T)
L(a) = {y in Zn+1 : a∙y = 0 mod M}
Notice that x=(x1, x2, … ,xn,1) is in L(a)
||x|| < 𝑛 + 1
Connection to Lattices
Finding short vectors in lattices implies:
Solving subset sum
Solving LWE
Solving Ring-LWE
Basically breaking all of “lattice crypto”
Interesting part:
There are proofs in the other direction
53
Connection to Lattices
Solving LWE 
– For all lattices, determining whether a lattice has a
short vector (GapSVP) via a classical reduction
– For all lattices, finding n linearly-independent short
vectors (SIVP) via a quantum reduction
Solving Ring-LWE over the ring Zq[x]/(f(x)) 
– For all ideals of Z[x]/(f(x)), finding a short vector
(Ideal-SVP) via a quantum reduction
54
Purpose of Proofs in Practice
Proofs guide us to the “correct design”
Sometimes the “correct design” is surprising
Example:
– We know decision problems are easy in the ring
Z[x]/(xn-1) because x-1 is a factor
– Trying to get a security reduction led us to choose a
polynomial f(x) irreducible over the integers
– But working over the ring Zq[x]/(f(x)) where f(x) factors
completely over Zq is OK – even sometimes necessary!
55
Getting a Usable Scheme
Setting exact parameters is trickier
– If we follow the proof, may be too inefficient
– If we deviate, we may be less secure
Need to have a feeling for what’s important
No substitute for cryptanalysis
Proofs tell the cryptanalyst what to concentrate on
56
Summary
Practical designs for all the basic schemes
Public-key encryption
Authenticated key exchange
Digital signatures
Identity-based encryption
The only public-key primitive
really needed on the internet
Polynomial-time constructions for many other schemes
Group signatures
Fully-homomorphic encryption
Attribute-based encryption
Many others
57
Some Research Directions
Come up with much better designs
Polynomial-time constructions for many other schemes
Group signatures
Fully-homomorphic encryption
Attribute-based encryption
Many others
58
Some Research Directions
Practical designs for all the basic schemes
Public-key encryption
Authenticated key exchange
Digital signatures
Identity-based encryption
Cryptanalysis
Efficient (quantum) algorithm for finding short vectors in ideal lattices?
If yes, then the hardness foundation is in question
What is the best (quantum) algorithm for Ring-LWE?
Need this to set concrete parameters
59
Some Research Directions
Practical designs for all the basic schemes
Public-key encryption
Authenticated key exchange
Digital signatures
Identity-based encryption
Standardization
Algorithmic problems (e.g. efficient sampling)
Want TLS and IKE to use lattices (and use them well)
Many trade-offs between speed/size possible
Resource-constrained devices
Standards may need to be “application-driven”
60
THANK YOU
61