Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Blue Border - Courant Institute of Mathematical Sciences
Document related concepts
Inverse problem wikipedia , lookup
Birthday problem wikipedia , lookup
One-time pad wikipedia , lookup
Generalized linear model wikipedia , lookup
Quantum key distribution wikipedia , lookup
Mathematical optimization wikipedia , lookup
History of cryptography wikipedia , lookup
Cryptography wikipedia , lookup
Ideal lattice cryptography wikipedia , lookup
Block cipher wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
Fisher–Yates shuffle wikipedia , lookup
Digital signature wikipedia , lookup
Multiple-criteria decision analysis wikipedia , lookup
Hardware random number generator wikipedia , lookup
Rainbow table wikipedia , lookup
Transcript
Lattice-Based Cryptography
Lattice Problems
Worst-Case
Average-Case
Small Integer
Solution
Problem (SIS)
Learning With
Errors
Problem (LWE)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
Public Key Encryption
Oblivious Transfer
Identity-Based Encryption
Hierarchical Identity-Based Encryption
(Minicrypt)
(Cryptomania)
Learning With Errors Problem
Find the secret s
a1, b1=<a1,s>+e1
a2, b2=<a2,s>+e2
…
s is chosen randomly in Zqn
ai are chosen randomly from Zqn
ei are “small” elements in Zq
(Decisional) Learning With Errors Problem
Distinguish between these two distributions:
Oracle 1
a1, b1=<a1,s>+e1
a2, b2=<a2,s>+e2
…
s is chosen randomly in Zqn
ai are chosen randomly from Zqn
ei are “small” elements in Zq
Oracle 2
a 1, b 1
a2, b2
…
ai are chosen randomly from Zqn
bi are chosen randomly from Zq
LWE < d-LWE
v, g = guess for <v,s>
if g = <v,s>, then we will
produce Oracle 1
distribution
if g ≠ <v,s>, then we will
produce Oracle 2
distribution
Use distinguisher to tell
us whether the guess for
<v,s> was correct
can set v=(1,0,...,0) then
(0,1,0,...,0) ,... to recover
all the bits of s
(a, b)=(a,<a,s>+e)
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)
if g=<v,s>, then
(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>)
=(a+rv,<a+rv,s>+e)
LWE < d-LWE
v, g = guess for <v,s>
if g = <v,s>, then we will
produce Oracle 1
distribution
if g ≠ <v,s>, then we will
produce Oracle 2
distribution
Use distinguisher to tell
us whether the guess for
<v,s> was correct
can set v=(1,0,...,0) then
(0,1,0,...,0) ,... to recover
all the bits of s
(a, b)=(a,<a,s>+e)
pick random r in Zq
(a+rv, b+rg)=(a+rv,<a,s>+e+rg)
if g≠<v,s>, then g=<v,s>+g'
(a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg')
=(a+rv,<a+rv,s>+e+rg')
r is independent of a+rv, s, e
so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q
Learning With Errors Problem
a1
a2
s
+
...
=
e
b
am
ai , s are in Zqn
e is in Zqm All coefficients of e are < sqrt(q)
Learning With Errors Problem
s
+
A
=
e
b
A is in Zqm x n s is in Zqn e is in Zqm
All coefficients of e are < sqrt(q)
LWE problem: Distinguish (A,As+e) from (A,b)
where b is random
Public Key Encryption Based on LWE
s
+ e
A
= b
Secret Key: s in Zqn
Public Key: A in Zqm x n , b=As+e
each coefficient of e is < sqrt(q)
Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2))
r
r
A
b + z(q/2)
Proof of Semantic Security
r
r
s
A
+e =b
A
b + z(q/2)
If b is random, then (A,rA,<r,b>) is also completely random.
So (A,rA,<r,b>+z(q/2)) is also completely random.
Since (A,b) looks random (based on the hardness of LWE),
so does (A,rA,<r,b>+z(q/2)) for any z
Decryption
n
r
r
s
m
A
+e =b
A
b + z(q/2)
Have (u,v) where u=rA and v=<r,b>+z(q/2)
Compute (<u,s> - v)
If <u,s> - v is closer to 0 than to q/2, then decrypt to 0
If <u,s> - v is closer to q/2 than to 0, then decrypt to 1
<u,s> - v = rAs – r(As+e) -z(q/2)
=<r,e> - z(q/2)
if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q)
So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2)
Lattices in Practice
Lattices have some great features
Very strong security proofs
The schemes are fairly simple
Relatively efficient
But there is a major drawback
Schemes have very large keys
Hash Function
Description of the hash function: a1,...,am in Zqn
Input: Bit-string z1...zm in {0,1}:
h(z1...zm) = z1
a1
+ z2
a2
+ … + zm
am
Sample parameters:
n=64, m=1024, p=257
Domain size: 21024 (1024 bits)
Range size: 25764 (≈ 512 bits)
Function description: log(257)*64*1024 ≈ 525,000 bits
Public-Key Cryptosystem
(Textbook) RSA:
Key-size: ≈ 2048 bits
Ciphertext length (2048 bit message): ≈ 2048
bits
LWE-based scheme:
Key-size: ≈ 600,000 bits
Ciphertext length (2048 bit message): ≈ 40,000 bits
Source of Inefficiency
z
A
h(z) = n
4
11
6
8
10
7
6
14
1
7
7
1
2
13
0
3
0
0
2
9
12
5
1
2
5
9
0
1
3
14
9
7
1
11
1
1
0
m
1
1
Require O(mn) storage
Computing the function takes O(mn) time
0
A More Efficient Idea
z
A
n
4
1
2
7
10
7
1
13
1
7
4
1
2
13 10
7
1
0
2
7
4
1
1
13 10
7
0
1
2
7
4
7
1
13 10
1
0
m
1
1
0
Now A only requires m storage
Az can be computed faster as well
A More Efficient Idea
z
A
4
1
2
7
10
7
1
13
1
4
1
2
7
1
10
7
1
13
0
7
4
1
2
13 10
7
1
0
7
4
1
2
0
13 10
7
1
1
1
13 10
7
1
7
1
13 10
0
2
7
4
1
1
13 10
7
0
1
2
7
4
7
1
13 10
1
=
2
7
4
1
0
1
2
7
4
1
+
0
1
1
0
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2)
in Zp[x]/(xn-1)
Interlude:
What is Zp[x]/(xn-1)?
Z = integers
Zp=integers modulo p
Zp[x] = polynomials with coefficients in Zp
Example if p=3: 1+x, 2+x2+x1001
Zp[x]/(xn-1)=polynomials of degree at most
n-1, with coefficients in Zp
Example if p=3 and n=4: 1+x, 2+x+x2
Operations in
Addition:
n
Zp[x]/(x -1)?
Addition of polynomials modulo p
Example if p=3 and n=4:
(1+x2) + (2+x2+x3)=2x2+x3
Multiplication:
Polynomial multiplication modulo p and xn-1
Example if p=3 and n=4:
(1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5
= 2+3x2+x3+1+x = x+x3
A More Efficient Idea
z
A
4
1
2
7
10
7
1
13
1
4
1
2
7
1
10
7
1
13
0
7
4
1
2
13 10
7
1
0
7
4
1
2
0
13 10
7
1
1
1
13 10
7
1
7
1
13 10
0
2
7
4
1
1
13 10
7
0
1
2
7
4
7
1
13 10
1
=
2
7
4
1
0
1
2
7
4
1
+
0
1
1
0
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1)
Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using
FFT
Great, a Better Hash Function!
Sample parameters:
n=64, m=1024, p=257
Domain size: 21024 (1024 bits)
Range size: 25764 (≈ 512 bits)
Function description: log(257)*64*1024 ≈ 525,000 bits
“New function” description: log(257)*64*16 ≈ 8192 bits
and it's much faster!
But Is it Hard to Find Collisions?
z
A
n
4
1
2
7
10
7
1
13
7
4
1
2
13 10
7
1
2
7
4
1
1
13 10
7
1
2
7
4
7
1
13 10
m
NO!
Finding Collisions
h
D
h
D'
R
R'
Finding Collisions
4
1
2
7
10
7
1
13
7
4
1
2
13 10
7
1
1
13 10
7
7
1
2
7
4
1
1
2
7
4
+
=
in Zqn
13 10
How many possibilities are there for this vector?
qn
There is a way to pick the z vector “smarter” so that the
number of possibilities is just q
Finding Collisions
4
1
2
7
0
0
7
4
1
2
0
0
2
7
4
1
0
1
2
7
4
0
0
4
1
2
7
1
14
7
4
1
2
1
14
2
7
4
1
1
1
2
7
4
1
=
=
0
14
14
Finding Collisions
4
1
2
7
10
7
1
13
7
4
1
2
13 10
7
1
1
13 10
7
7
1
2
7
4
1
1
2
7
4
+
=
in Zqn
13 10
Set each block of z to either all 0's or all 1's
How many possibilities for z are there?
2# of blocks
Need 2# of blocks > q to guarantee a collision of this form
# of blocks > log q
Collision-Resistant Hash Function
Given: Vectors a1,...,am in Zqn
Find: non-trivial solution z1,...,zm in {-1,0,1} such that:
z1
a1
+ z2
a2
+ … + zm
am
=
0 in Zqn
A=(a1,...,am) Define hA: {0,1}m → Zqn where
hA(z1,...,zm)=a1z1 + … + amzm
Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn)
Set m>nlog q to get compression
# of blocks = m/n > logq
But …
z
A
n
= r
4
1
2
7
10
7
1
13
12
7
4
1
2
13 10
7
1
3
2
7
4
1
1
13 10
7
1
2
7
4
7
1
13 10
=
7
4
m
Theorem: For a random r in Zqn, it is hard to find a z with
coefficients in {-1,0,1} such that Az mod q=r
Worst-Case
Average-Case
One-Way Functions
Lattice Problems
for “Cyclic
Lattices”
Cyclic Lattices
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
-1
2
3
-4
+
-7
-2
3
6
-2 -3
4
=
2.) For all v in L, -v is also in L
-1
2
3
-4
1
3.) For all v in L, a cyclic shift of v is also in L
-1
2
3
-4
-4
-1
2
3
-1
3
-4
2
-1
3
-4
2
-1
2
2
3
-4
3 -1
-4
-8
0
6
2
Cyclic Lattices=Ideals in
n
Z[x]/(x -1)
A set L in Zn is a cyclic lattice if:
1.) For all v,w in L, v+w is also in L
-1
2
3
-4
+
-7
-2
3
6
-2 -3
4
=
2.) For all v in L, -v is also in L
-1
2
3
-4
1
3.) For all v in L, a cyclic shift of v is also in L
-1
2
3
-4
-4
-1
2
3
-1
3
-4
2
-1
3
-4
2
-1
2
2
3
-4
3 -1
-4
-8
0
6
2
n
(x -1)-Ideal
Lattices
A set L in Zn is an (xn-1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L
-1
2
3
-4
+
-7
-2
3
6
-2 -3
4
=
2.) For all v in L, -v is also in L
-1
2
3
-4
1
3.) For all v in L, a cyclic shift of v is also in L
-1
2
3
-4
-4
-1
2
3
-1
3
-4
2
-1
3
-4
2
-1
2
2
3
-4
3 -1
-4
-8
0
6
2
What About Hash Functions?
z
A
n
4
1
2
7
10
7
1
13
7
4
1
2
13 10
7
1
2
7
4
1
1
13 10
7
1
2
7
4
7
1
13 10
m
Not Collision-Resistant
A “Simple” Modification
z
A
n
4
-1
-2
-7 10
-7
7
4
-1
-2 13 10
2
7
4
-1
1
2
7
4
-1 -13
-7
-1
1
13 10
-7
7
1
13 10
m
Theorem: It is hard to find a z with coefficients in {-1,0,1}
such that Az mod q=0
Lattice Problems
for
n
(x +1)-Ideal Latices
Worst-Case
Average-Case
Small Integer
Solution
Problem (SIS)
One-Way Functions
Collision-Resistant Hash Functions
Digital Signatures
Identification Schemes
(Minicrypt)
(xn+1)-Ideal Lattices
A set L in Zn is an (xn+1)-ideal lattice if:
1.) For all v,w in L, v+w is also in L
1
2
3
4 +
-7
-2
3 6
= -6 0 6
2.) For all v in L, -v is also in L
1
2
3
4
-1 -2 -3 -4
3.) For all v in L, its “negative rotation” is also in L
-1
1
2
3
-4
4
-4
1
2
3
-1
-3
-4
2
3
1
-4
2
-1 -3
-2
2
-4
3 -4
1
10
So How Efficient are the Ideal
Lattice Constructions?
Collision-resistant hash functions
More efficient than any other provably-secure
hash function
Almost as efficient as the ones used in practice
Can only prove collision-resistance
Signature schemes
Theoretically, very efficient
In practice, efficient
Key length ≈ 20,000 bits
Signature length ≈ 50,000 bits
