* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Blue Border - Courant Institute of Mathematical Sciences
Survey
Document related concepts
Inverse problem wikipedia , lookup
Birthday problem wikipedia , lookup
One-time pad wikipedia , lookup
Generalized linear model wikipedia , lookup
Quantum key distribution wikipedia , lookup
Mathematical optimization wikipedia , lookup
History of cryptography wikipedia , lookup
Cryptography wikipedia , lookup
Ideal lattice cryptography wikipedia , lookup
Block cipher wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
Fisher–Yates shuffle wikipedia , lookup
Digital signature wikipedia , lookup
Multiple-criteria decision analysis wikipedia , lookup
Hardware random number generator wikipedia , lookup
Rainbow table wikipedia , lookup
Transcript
Lattice-Based Cryptography Lattice Problems Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes Public Key Encryption Oblivious Transfer Identity-Based Encryption Hierarchical Identity-Based Encryption (Minicrypt) (Cryptomania) Learning With Errors Problem Find the secret s a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq (Decisional) Learning With Errors Problem Distinguish between these two distributions: Oracle 1 a1, b1=<a1,s>+e1 a2, b2=<a2,s>+e2 … s is chosen randomly in Zqn ai are chosen randomly from Zqn ei are “small” elements in Zq Oracle 2 a 1, b 1 a2, b2 … ai are chosen randomly from Zqn bi are chosen randomly from Zq LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g=<v,s>, then (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>) =(a+rv,<a+rv,s>+e) LWE < d-LWE v, g = guess for <v,s> if g = <v,s>, then we will produce Oracle 1 distribution if g ≠ <v,s>, then we will produce Oracle 2 distribution Use distinguisher to tell us whether the guess for <v,s> was correct can set v=(1,0,...,0) then (0,1,0,...,0) ,... to recover all the bits of s (a, b)=(a,<a,s>+e) pick random r in Zq (a+rv, b+rg)=(a+rv,<a,s>+e+rg) if g≠<v,s>, then g=<v,s>+g' (a+rv, b+rg)=(a+rv,<a,s>+e+r<v,s>+rg') =(a+rv,<a+rv,s>+e+rg') r is independent of a+rv, s, e so, Pr[<a',s>+e+rg'= u | a'] = Pr[r=(u-(<a',s>+e))*(g')-1]=1/q Learning With Errors Problem a1 a2 s + ... = e b am ai , s are in Zqn e is in Zqm All coefficients of e are < sqrt(q) Learning With Errors Problem s + A = e b A is in Zqm x n s is in Zqn e is in Zqm All coefficients of e are < sqrt(q) LWE problem: Distinguish (A,As+e) from (A,b) where b is random Public Key Encryption Based on LWE s + e A = b Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e each coefficient of e is < sqrt(q) Encrypting a single bit z in {0,1}. Pick r in {0,1}m . Send (rA, <r,b>+z(q/2)) r r A b + z(q/2) Proof of Semantic Security r r s A +e =b A b + z(q/2) If b is random, then (A,rA,<r,b>) is also completely random. So (A,rA,<r,b>+z(q/2)) is also completely random. Since (A,b) looks random (based on the hardness of LWE), so does (A,rA,<r,b>+z(q/2)) for any z Decryption n r r s m A +e =b A b + z(q/2) Have (u,v) where u=rA and v=<r,b>+z(q/2) Compute (<u,s> - v) If <u,s> - v is closer to 0 than to q/2, then decrypt to 0 If <u,s> - v is closer to q/2 than to 0, then decrypt to 1 <u,s> - v = rAs – r(As+e) -z(q/2) =<r,e> - z(q/2) if all coefficients of e are < sqrt(q), |<r,e>| < m*sqrt(q) So if q >> m*sqrt(q), z(q/2) “dominates” the term <r,e> - z(q/2) Lattices in Practice Lattices have some great features Very strong security proofs The schemes are fairly simple Relatively efficient But there is a major drawback Schemes have very large keys Hash Function Description of the hash function: a1,...,am in Zqn Input: Bit-string z1...zm in {0,1}: h(z1...zm) = z1 a1 + z2 a2 + … + zm am Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits Public-Key Cryptosystem (Textbook) RSA: Key-size: ≈ 2048 bits Ciphertext length (2048 bit message): ≈ 2048 bits LWE-based scheme: Key-size: ≈ 600,000 bits Ciphertext length (2048 bit message): ≈ 40,000 bits Source of Inefficiency z A h(z) = n 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 m 1 1 Require O(mn) storage Computing the function takes O(mn) time 0 A More Efficient Idea z A n 4 1 2 7 10 7 1 13 1 7 4 1 2 13 10 7 1 0 2 7 4 1 1 13 10 7 0 1 2 7 4 7 1 13 10 1 0 m 1 1 0 Now A only requires m storage Az can be computed faster as well A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 0 7 4 1 2 13 10 7 1 0 7 4 1 2 0 13 10 7 1 1 1 13 10 7 1 7 1 13 10 0 2 7 4 1 1 13 10 7 0 1 2 7 4 7 1 13 10 1 = 2 7 4 1 0 1 2 7 4 1 + 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Interlude: What is Zp[x]/(xn-1)? Z = integers Zp=integers modulo p Zp[x] = polynomials with coefficients in Zp Example if p=3: 1+x, 2+x2+x1001 Zp[x]/(xn-1)=polynomials of degree at most n-1, with coefficients in Zp Example if p=3 and n=4: 1+x, 2+x+x2 Operations in Addition: n Zp[x]/(x -1)? Addition of polynomials modulo p Example if p=3 and n=4: (1+x2) + (2+x2+x3)=2x2+x3 Multiplication: Polynomial multiplication modulo p and xn-1 Example if p=3 and n=4: (1+x2) * (2+x2+x3) = 2+3x2+x3+x4+x5 = 2+3x2+x3+1+x = x+x3 A More Efficient Idea z A 4 1 2 7 10 7 1 13 1 4 1 2 7 1 10 7 1 13 0 7 4 1 2 13 10 7 1 0 7 4 1 2 0 13 10 7 1 1 1 13 10 7 1 7 1 13 10 0 2 7 4 1 1 13 10 7 0 1 2 7 4 7 1 13 10 1 = 2 7 4 1 0 1 2 7 4 1 + 0 1 1 0 (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn-1) Multiplication in Zp[x]/(xn-1) takes time O(nlogn) using FFT Great, a Better Hash Function! Sample parameters: n=64, m=1024, p=257 Domain size: 21024 (1024 bits) Range size: 25764 (≈ 512 bits) Function description: log(257)*64*1024 ≈ 525,000 bits “New function” description: log(257)*64*16 ≈ 8192 bits and it's much faster! But Is it Hard to Find Collisions? z A n 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m NO! Finding Collisions h D h D' R R' Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 1 13 10 7 7 1 2 7 4 1 1 2 7 4 + = in Zqn 13 10 How many possibilities are there for this vector? qn There is a way to pick the z vector “smarter” so that the number of possibilities is just q Finding Collisions 4 1 2 7 0 0 7 4 1 2 0 0 2 7 4 1 0 1 2 7 4 0 0 4 1 2 7 1 14 7 4 1 2 1 14 2 7 4 1 1 1 2 7 4 1 = = 0 14 14 Finding Collisions 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 1 13 10 7 7 1 2 7 4 1 1 2 7 4 + = in Zqn 13 10 Set each block of z to either all 0's or all 1's How many possibilities for z are there? 2# of blocks Need 2# of blocks > q to guarantee a collision of this form # of blocks > log q Collision-Resistant Hash Function Given: Vectors a1,...,am in Zqn Find: non-trivial solution z1,...,zm in {-1,0,1} such that: z1 a1 + z2 a2 + … + zm am = 0 in Zqn A=(a1,...,am) Define hA: {0,1}m → Zqn where hA(z1,...,zm)=a1z1 + … + amzm Domain of h = {0,1}m (size = 2m) Range of h = Zqn (size = qn) Set m>nlog q to get compression # of blocks = m/n > logq But … z A n = r 4 1 2 7 10 7 1 13 12 7 4 1 2 13 10 7 1 3 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 = 7 4 m Theorem: For a random r in Zqn, it is hard to find a z with coefficients in {-1,0,1} such that Az mod q=r Worst-Case Average-Case One-Way Functions Lattice Problems for “Cyclic Lattices” Cyclic Lattices A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 -2 -3 4 = 2.) For all v in L, -v is also in L -1 2 3 -4 1 3.) For all v in L, a cyclic shift of v is also in L -1 2 3 -4 -4 -1 2 3 -1 3 -4 2 -1 3 -4 2 -1 2 2 3 -4 3 -1 -4 -8 0 6 2 Cyclic Lattices=Ideals in n Z[x]/(x -1) A set L in Zn is a cyclic lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 -2 -3 4 = 2.) For all v in L, -v is also in L -1 2 3 -4 1 3.) For all v in L, a cyclic shift of v is also in L -1 2 3 -4 -4 -1 2 3 -1 3 -4 2 -1 3 -4 2 -1 2 2 3 -4 3 -1 -4 -8 0 6 2 n (x -1)-Ideal Lattices A set L in Zn is an (xn-1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L -1 2 3 -4 + -7 -2 3 6 -2 -3 4 = 2.) For all v in L, -v is also in L -1 2 3 -4 1 3.) For all v in L, a cyclic shift of v is also in L -1 2 3 -4 -4 -1 2 3 -1 3 -4 2 -1 3 -4 2 -1 2 2 3 -4 3 -1 -4 -8 0 6 2 What About Hash Functions? z A n 4 1 2 7 10 7 1 13 7 4 1 2 13 10 7 1 2 7 4 1 1 13 10 7 1 2 7 4 7 1 13 10 m Not Collision-Resistant A “Simple” Modification z A n 4 -1 -2 -7 10 -7 7 4 -1 -2 13 10 2 7 4 -1 1 2 7 4 -1 -13 -7 -1 1 13 10 -7 7 1 13 10 m Theorem: It is hard to find a z with coefficients in {-1,0,1} such that Az mod q=0 Lattice Problems for n (x +1)-Ideal Latices Worst-Case Average-Case Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) (xn+1)-Ideal Lattices A set L in Zn is an (xn+1)-ideal lattice if: 1.) For all v,w in L, v+w is also in L 1 2 3 4 + -7 -2 3 6 = -6 0 6 2.) For all v in L, -v is also in L 1 2 3 4 -1 -2 -3 -4 3.) For all v in L, its “negative rotation” is also in L -1 1 2 3 -4 4 -4 1 2 3 -1 -3 -4 2 3 1 -4 2 -1 -3 -2 2 -4 3 -4 1 10 So How Efficient are the Ideal Lattice Constructions? Collision-resistant hash functions More efficient than any other provably-secure hash function Almost as efficient as the ones used in practice Can only prove collision-resistance Signature schemes Theoretically, very efficient In practice, efficient Key length ≈ 20,000 bits Signature length ≈ 50,000 bits